Insights, news, education and announcements from PolySwarm

Akira Ransomware

Written by The Hivemind | Oct 23, 2023 5:37:51 PM

Related Families: Megazord
Verticals Targeted: Manufacturing, Business Services, Construction, Education, Finance, Legal Services, Retail, Architecture, Engineering and Design, and Investment Banking

Executive Summary

Akira ransomware, active since April 2023, was recently observed targeting Windows and Linux systems.

Key Takeaways

  • Akira ransomware targets both Windows and Linux systems.
  • Akira has been active in the wild since at least April 2023.
  • Akira has been observed targeting a variety of verticals in multiple regions, including the Americas, Africa, Europe, and the Bahamas.

What is Akira?

Akira ransomware was recently observed targeting Windows and Linux systems. FortiGuard Labs reported on Akira.

Akira is written in C++. Active in the wild since April 2023, Akira encrypts victim files after the threat actors have stolen data from the victim. The threat actors behind Akira use this data in a double extortion tactic, demanding a ransom payment to decrypt files and leveraging the threat of public release of stolen data to coerce payment. Akira tends to target organizations running a VPN without MFA configured. They may also purchase network access from initial access brokers.

Akira is known to target multiple verticals, including manufacturing, business services, construction, education, finance, legal services, retail, architecture, engineering and design, and investment banking. Outside these verticals, other targets appear to be targets of opportunity. Targeted entities were located in multiple countries, including the US, Canada, Nicaragua, South Africa, Argentina, the UK, and the Bahamas. Over 50% of targets were located in the US.

Akira’s leak site is on TOR and allows victims to contact the threat actors. It also contains a list of victims and provides a place for the threat actors to publish stolen information. The site includes a command-based search function, allowing visitors to search for and download data from victim organizations.

Akira Variants

Windows Version
The Windows version of Akira encrypts a victim’s files, skipping over files with an .exe, .dll, .lnk, .sys, or .msi extension. The ransomware appends the .akira extension to encrypted files and drops a ransom note in each folder containing encrypted files. Akira also uses a PowerShell command to delete shadow copies, complicating file recovery efforts.


Linux Version
The Linux version of Akira uses AES, CAMELLIA, DES, and IDEA algorithms for encryption. It excludes from encryption the same file extensions and directories as the Windows version, indicating the Linux version is merely a port of the Windows version.


Megazord Variant
Researchers also discovered a rust-based variant of Akira, known as Megazord.


IOCs

PolySwarm has multiple samples of Akira.


67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

d371ee0aa4fa710c00173d296c999a5497a18b38c80095db68a2dc5e46ed35f7

25a6758df930b32eed548fca56735f0ddde442b5662e51c625eadbbaf09c9e96

7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c

8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50

920384692233578a59fc8de2b0205fd9fb20bb0d75c1d5a1534377abf0fc08bc

d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959

9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163

6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

337d21f964091417f22f35aee35e31d94fc3f35179c36c0304eef6e4ae983292

b3f473b0fd752fcd8b0d5983366c4ccccdacdceb8d6ba25fcb02b34c622cca78

2084ab8f92a86a37a35879378610949e21ea7b5030313655bb82fe6c67772b0d

637e28b38086ff9efd1606805ff57aaf6cdec4537378f019d6070a5efdc9c983

92072945358b605c024b9e3335fb33b82faf33048c56f5529aaf5af4bf0c1b30

2e2ad6392e75d5a5155498c2a76cb373d17ca3ad4ba57c6d33c623fca5e29342

4cb8365b18b1c319d374be0b9d219144c20fb8714e9cf346e655f854d2c60170

c239dadd55b55b817fda5b0c2bb062adf399a5b78a8b3280a473d3ae66f81777

 

You can use the following CLI command to search for all Akira samples in our portal:

$ polyswarm link list -f Akira

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.