Full Report
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
Analysis Summary
# Threat Actor: Akira Ransomware Operation
## Attribution & Identity
Akira is a prevalent ransomware operation, described as a Ransomware-as-a-Service (RaaS) model. The report focuses on the constant evolution of its ransomware encryptor and operational tactics by affiliates.
## Activity Summary
Akira continues to be one of the most prevalent ransomware operations. They have exhibited significant evolution in their tooling:
* Developed novel iterations of the encryptor targeting both Windows and Linux hosts.
* Experimented with a Rust variant of their ESXi encryptor, moving away from C++.
* Previously employed a double-extortion model (encryption + data exfiltration), briefly sidelining encryption in early 2024 to focus only on data exfiltration while retooling.
* Most recently, they appear to have shifted back to using both data theft and encryption tactics, suggesting a drive for stability and efficiency.
* Operationally, Akira affiliates are quick to exploit newly disclosed CVEs for initial access, privilege escalation, and lateral movement.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting exposed network appliances and vulnerable systems; favoring compromised VPN credentials. Specifically observed leveraging:
- CVE-2024-40766 (SonicWall SonicOS Remote Code Execution).
- Cisco ASA/FTD exploits (CVE-2020-3259 and CVE-2023-20263) following Cisco AnyConnect SSL VPN compromise.
- CVE-2023-48788 (FortiClientEMS abuse).
- Secure Shell (SSH) exploitation, as seen in a recent airline attack.
- **Execution/Privilege Escalation:** Utilizing PowerShell scripts for credential harvesting (e.g., extracting Veeam backup credentials and dumping Kerberos credentials).
- **Defense Evasion:** Deleting system shadow copies via a WMI command (`Get-WmiObject Win32_Shadowcopy | Remove-WmiObject`); employing binary padding, matching legitimate naming/location taxonomy, and disabling/modifying security tools.
- **Lateral Movement:** Using Remote Desktop Protocol (RDP) connections and moving tools laterally.
- **Encryption/Impact:** Deploying ransomware payload on Windows and Linux hosts; utilizing data exfiltration pre-encryption.
- **Payloads/Tooling:** Developed C++ and Rust variants of their encryptors for Windows and Linux/ESXi.
## Targeting
- **Sectors:** Enterprise environments running Windows and Linux systems. A specific example involved a Latin American airline in June 2024.
- **Geography:** Global targeting implied by the breadth of RaaS operations; one specific attack mentioned occurred in Latin America.
- **Victims:** Organizations with accessible network appliances and backup solutions (Veeam mentioned specifically).
## Tools & Infrastructure
- **Malware families used:** Akira Ransomware (Windows and Linux variants), including a Rust-based ESXi encryptor.
- **Infrastructure:** Not explicitly detailed beyond the reliance on compromised external-facing infrastructure (VPNs, network appliances) for entry. No specific C2/IPs were listed in a defanged format.
## Implications
Akira poses a persistent and evolving threat. Their willingness to pivot between extortion models (encryption-only vs. double extortion) and their active retooling (e.g., moving to Rust) demonstrates a sustained commitment to operational security and effectiveness. Their rapid uptake of new CVEs suggests active monitoring of vulnerability disclosures.
## Mitigations
- Implement timely patching for known vulnerable network appliances (SonicWall, Cisco ASA/FTD/AnyConnect, FortiClientEMS).
- Harden VPN services against credential compromise.
- Implement robust credential hygiene, particularly for service accounts (like Veeam) and Kerberos authentication.
- Employ defenses against common file removal/availability techniques, such as monitoring malicious WMI or PowerShell usage for shadow copy deletion.
- Prepare incident response plans specifically tailored to address data exfiltration alongside ransomware encryption routines.