Full Report
In a recent ransomware attack, a threat actor accessed the victim’s hypervisor and created a new virtual machine (VM) as a staging location from which they launched the Akira ransomware A forensic investigation into the VM contents revealed several tactics that the threat actor had taken, including using Easyupload.io, a file transfer website owned by the longtime file sharing application LimeWire, as a likely way to exfiltrate staged archives Our investigation showed that the attacker quickly progressed through their attack, disabling Microsoft Defender and installing WinRAR, an archival tool typically used by threat actors for staging data The use of EasyUpload/LimeWire adds to a long list of data exfiltration methods that we see threat actors using, including legitimate tools like backup utilities and cloud storage services
Analysis Summary
# Incident Report: Akira Ransomware Deployment via Rogue Hypervisor Instance
## Executive Summary
A threat actor, identified as an Akira ransomware affiliate, gained access to a victim's hypervisor to provision a new, unmonitored Virtual Machine (VM) used as a staging ground. By bypassing security tooling through this "shadow" VM, the attacker successfully performed Active Directory enumeration, data archival using WinRAR, and exfiltration via LimeWire’s EasyUpload service. The incident culminated in the deployment of Akira ransomware across the environment after disabling security defenses.
## Incident Details
- **Discovery Date:** May 29, 2024
- **Incident Date:** May 2024
- **Affected Organization:** Not disclosed (Huntress Partner)
- **Sector:** Not disclosed
- **Geography:** Not disclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to May 29, 2024
- **Vector:** Remote access (Specific entry point limited due to endpoint being taken offline)
- **Details:** Threat actor secured unauthorized remote access to a Domain Controller and the environment's hypervisor.
### Lateral Movement
- **Movement:** The attacker moved from the Domain Controller to the hypervisor and subsequently to the organization's file server.
- **Technique:** Creation of a new Windows VM instance on the hypervisor to act as a blind spot for security teams.
### Data Exfiltration/Impact
- **Data Staging:** Used WinRAR to archive contents of sensitive network shares.
- **Exfiltration:** Utilized WinSCP and the web-based LimeWire service "Easyupload[.]io" to move data out of the network.
- **Encryption:** Deployed Akira ransomware across the infrastructure from the rogue VM.
### Detection & Response
- **Detection:** May 29; Huntress SOC detected unauthorized remote access and enumeration activity (Notepad viewing `AdUsers.txt`).
- **Response Actions:** Impacted endpoints were taken offline for forensic imaging; VHDX files of the rogue VM were analyzed.
## Attack Methodology
- **Initial Access:** Unauthorized Remote Access.
- **Persistence:** Creation of a new Server Instance (VM) on the hypervisor.
- **Defense Evasion:** Provisioning a VM without EDR/Huntress agents installed; disabling Microsoft Defender.
- **Discovery:** Active Directory enumeration (`AdUsers.txt`, `AdComp.txt`) viewed via Notepad.
- **Lateral Movement:** Pivot from Domain Controller to File Server and Hypervisor.
- **Collection:** Archiving data using WinRAR.
- **Exfiltration:** Use of WinSCP and Easyupload[.]io (LimeWire).
- **Impact:** Deployment of Akira Ransomware.
## Impact Assessment
- **Financial:** High (Ransomware recovery costs and potential data extortion).
- **Data Breach:** Confirmed; archive files of share folders were exfiltrated.
- **Operational:** Significant; primary servers encrypted and systems taken offline for remediation.
- **Reputational:** Industry-dependent risk following data theft.
## Indicators of Compromise
- **Files:** `AdUsers.txt`, `AdComp.txt`, WinRAR.exe, WinSCP.exe.
- **Network:** hxxps://easyupload[.]io (and associated LimeWire infrastructure).
- **Behavioral:** High-volume data archival on file servers; creation of unauthorized VM instances; disabling of Microsoft Defender.
## Response Actions
- **Containment:** Disconnection of affected endpoints from the network.
- **Eradication:** Deletion of the unauthorized Virtual Machine and associated VHDX files.
- **Recovery:** Mounting and forensic analysis of the rogue VHDX to determine the scope of stolen data.
## Lessons Learned
- **Visibility Gaps:** Security monitoring must extend to the hypervisor level to detect the creation of unauthorized "shadow" infrastructure.
- **Tool Abuse:** Legitimate tools like WinRAR and WinSCP, as well as consumer file-sharing sites (LimeWire/EasyUpload), remain primary choices for exfiltration.
- **Defense-in-Depth:** The absence of security agents on the new VM allowed the attacker several hours of unmonitored activity.
## Recommendations
- **Hypervisor Auditing:** Implement strict alerting for the creation of new Virtual Machines or modification of virtual networks.
- **EDR Auto-Deployment:** Ensure security agents are automatically deployed to any new VM instances created within the environment.
- **Egress Filtering:** Restrict access to known file-sharing and "disposable" upload sites at the firewall/web proxy level.
- **Privileged Access Management (PAM):** Restrict and monitor access to hypervisor management consoles (e.g., vCenter, Hyper-V Manager).