Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia

FBI and CISA, in conjunction with the U.S. and leading international cybersecurity agencies, have recently issued a joint advisory AA24-109A warning defenders of a surge in cyber attacks leveraging Akira ransomware. According to investigations, related malicious campaigns have affected 250+ organizations and claimed around $42 million in ransom payments. 

Detect Akira Ransomware Attacks

Escalating ransomware threats continuously challenge cyber defenders with novel attack methods and malicious tricks, shaping the demand for advanced threat detection and hunting tools to proactively withstand possible intrusions. SOC Prime’s platform equips security teams with a complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation to scale up cyber defense and make sure no cyber attacks go undetected. 

With Akira ransomware being on the rise, security professionals might explore a curated Sigma rules stack that helps accelerate threat hunting investigation. All the rules are compatible with 28 SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Moreover, each detection algorithm is enriched with relevant threat intel and extensive metadata to provide additional context. Just press the Explore Detections button below and immediately drill down to a dedicated content list. 

Explore Detections

Also, security professionals might search for relevant detections right in the SOC Prime Platform using “AA24-109A” and “Akira Ransomware” tags.

Akira Ransomware Attack Analysis

On April 18, 2024, the FBI, CISA, and global partners issued a collaborative Cybersecurity Advisory (CSA) to inform and distribute known IOCs and TTPs linked to the increasing attacks by Akira ransomware operators. This information is derived from FBI investigations and credible third-party sources, with updates as recent as February 2024.

Since early spring 2023, Akira ransomware has hit multiple businesses, including the critical infrastructure sector across the U.S., Europe, and Australia, with 250+ organizations affected. Adversaries employed a Linux iteration targeting VMware ESXi virtual machines after initially affecting Windows systems. While the early variants of Akira ransomware were coded in the C++ programming language and relied on .akira extension, in late summer 2023, Akira threat actors evolved their offensive toolkit utilizing Megazord, a Rust-based variant using file encryption based on a .powerranges extension. 

To gain initial access to the targeted systems, Akira ransomware maintainers commonly weaponize security flaws in VPN services lacking MFA configurations, mainly leveraging known Cisco vulnerabilities, CVE-2020-3259 and CVE-2023-20269. Other initial access vectors involve exploiting external-facing services like RDP, spear-phishing attacks, and the abuse of legitimate credentials.

Further, Akira threat actors tend to weaponize domain controllers by generating new domain accounts for persistence. They also take advantage of post-exploitation techniques like Kerberoasting to extract credentials from LSASS memory and employ credential scraping tools, such as Mimikatz and LaZagne for privilege escalation. Moreover, adversaries apply utilities like SoftPerfect and Advanced IP Scanner for network device discovery, while net Windows commands are used to identify domain controllers and gather domain trust relationship information.

Akira attacks have also been distinguished by deploying two separate ransomware variants targeting diverse system architectures within a single intrusion, which highlights a shift from the recently observed malicious activity. Initially, Akira threat actors deployed the Windows-based Megazord ransomware and simultaneously introduced a second payload identified as the new Akira ESXi encryptor variant dubbed  “Akira_v2.” To facilitate lateral movement, adversaries disable security software for detection evasion. They have also been observed abusing PowerTool to exploit the Zemana AntiMalware driver and hinder anti-malware processes.

As for the adversary toolkit facilitating exfiltration and impact, Akira ransomware maintainers apply FileZilla, WinRAR, WinSCP, and RClone to steal data from the compromised systems and leverage a set of utilities like AnyDesk, MobaXterm, RustDesk, or Ngrok to establish C2 channels. Adversaries also employ a double-extortion model, encrypting systems after data exfiltration. Akira threat actors commonly demand ransom payments in Bitcoin to crypto wallet addresses and further threaten to publish stolen data on the Tor network.

To minimize the risks of Akira attacks, organizations are strongly recommended to implement multiple layers of security protection, including network segmentation, applying multifactor authentication, regular patching, continuous monitoring for suspicious activity, and maintaining offline backups. 

The escalating number of ransomware attacks, coupled with their increasing sophistication and continuously enhanced offensive toolkits, underscores the need to minimize organizations’ exposure to such threats by implementing a proactive cyber defense strategy. Leveraging SOC Prime’s Attack Detective enables defenders to rely on automated detection stack validation to gain real-time attack surface visibility, timely identify and address blind spots in detection coverage, and find breaches before adversaries have a chance to strike.