SOC Prime Bias: High

24 Nov 2025 19:49
newspaper icon AttackIQ

Akira Ransomware: Response to CISA Advisory AA24-109A

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Akira Ransomware: Response to CISA Advisory AA24-109A
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Akira Ransomware: Response to CISA Advisory AA24-109A SUMMARY

The advisory profiles the Akira ransomware operation, a Ransomware-as-a-Service (RaaS) threat that both encrypts victim data and exfiltrates it prior to encryption. First observed in March 2023, Akira quickly rose to prominence and is believed to share code lineage with the Conti ransomware family. The document details the group’s tactics, techniques, and procedures, including brute-force attacks against RDP, credential dumping, and reliance on a TOR-hosted leak portal. Victims are typically pressured to pay either for decryption keys or for the promise of stolen data deletion.

Investigation

A coordinated investigation by CISA, the FBI, NCSC-NL, and several European law-enforcement partners refreshed Akira’s threat profile through November 2025. Technical findings highlight persistence through the creation of new local accounts, broad reconnaissance using native Windows APIs, and the use of credential-theft utilities such as Mimikatz, LaZagne, and Rubeus. File encryption is implemented with the ChaCha20 algorithm, with keys protected using RSA-4096.

Akira Ransomware Mitigation

Defensive priorities include enforcing strong, unique RDP credentials, monitoring for unusual account creation and privilege enumeration activity, and blocking commonly abused offensive tools. Organizations should maintain regular, tested backups, disable non-essential services, and deploy host-based controls to prevent LSASS memory dumping. Additional safeguards involve filtering TOR traffic at the network edge and tracking potential data exfiltration to .onion infrastructure.

Response

When Akira activity is suspected, immediately quarantine the affected host, acquire memory and disk images, and preserve all relevant indicators of compromise. Reset exposed credentials, remove unauthorized accounts, and restore systems from trusted, verified backups. A thorough forensic review should map out lateral movement paths and pivot points, with results reported to appropriate authorities and information-sharing partners.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the identified TTPs and generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The ransomware operator prepares to encrypt a directory of user documents. First, they ensure the files are fully accessible to the ransomware process by granting Everyone full control using icacls.exe. This is a classic “grant‑full‑access before encrypt” step, matching MITRE technique T1222.001. The attacker runs the command from a low‑privilege context but relies on the fact that icacls.exe can modify ACLs if the process has sufficient permissions (e.g., running as SYSTEM via a scheduled task).

    # Path to target directory
$target = "C:\Users\Public\Documents\SensitiveData"

# Recursively grant full control to Everyone
icacls.exe "$target\*" /grant *S-1-1-0:F /T /C

    The above command creates a Sysmon ProcessCreate event where Image ends with icacls.exe, satisfying the detection rule.

  • Regression Test Script:

    # ---------------------------------------------------------------
# Regression Test – Icacls Permission Modification (T1222.001)
# ---------------------------------------------------------------
# Create a temporary test directory
$testDir = "$env:TEMP\IcaclsTest"
New-Item -Path $testDir -ItemType Directory -Force | Out-Null

# Populate with dummy files
1..5 | ForEach-Object {
    New-Item -Path "$testDir\File$_ .txt" -ItemType File -Force | Out-Null
}

# Execute icacls to grant Everyone full control (this should fire the rule)
icacls.exe "$testDir\*" /grant *S-1-1-0:F /T /C

# Pause to allow SIEM ingestion
Start-Sleep -Seconds 10

# End of script

  • Cleanup Commands:

    # ---------------------------------------------------------------
# Cleanup – Remove test ACL changes and delete test data
# ---------------------------------------------------------------
$testDir = "$env:TEMP\IcaclsTest"

# Reset permissions to the defaults (remove the Everyone grant)
icacls.exe "$testDir\*" /reset /T /C

# Delete the test directory
Remove-Item -Path $testDir -Recurse -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free