Verticals Targeted: Manufacturing, Business Services, Construction, Education, Finance, Legal Services, Retail, Architecture, Engineering and Design, and Investment Banking
Key Takeaways
What is Akira?
Akira ransomware was recently observed targeting Windows and Linux systems. FortiGuard Labs reported on Akira.
Akira is written in C++. Active in the wild since April 2023, Akira encrypts victim files after the threat actors have stolen data from the victim. The threat actors behind Akira use this data in a double extortion tactic, demanding a ransom payment to decrypt files and leveraging the threat of public release of stolen data to coerce payment. Akira tends to target organizations running a VPN without MFA configured. They may also purchase network access from initial access brokers.
Akira is known to target multiple verticals, including manufacturing, business services, construction, education, finance, legal services, retail, architecture, engineering and design, and investment banking. Outside these verticals, other targets appear to be targets of opportunity. Targeted entities were located in multiple countries, including the US, Canada, Nicaragua, South Africa, Argentina, the UK, and the Bahamas. Over 50% of targets were located in the US.
Akira’s leak site is on TOR and allows victims to contact the threat actors. It also contains a list of victims and provides a place for the threat actors to publish stolen information. The site includes a command-based search function, allowing visitors to search for and download data from victim organizations.
Akira Variants
Windows Version
The Windows version of Akira encrypts a victim’s files, skipping over files with an .exe, .dll, .lnk, .sys, or .msi extension. The ransomware appends the .akira extension to encrypted files and drops a ransom note in each folder containing encrypted files. Akira also uses a PowerShell command to delete shadow copies, complicating file recovery efforts.
Linux Version
The Linux version of Akira uses AES, CAMELLIA, DES, and IDEA algorithms for encryption. It excludes from encryption the same file extensions and directories as the Windows version, indicating the Linux version is merely a port of the Windows version.
Megazord Variant
Researchers also discovered a rust-based variant of Akira, known as Megazord.
IOCs
PolySwarm has multiple samples of Akira.
67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
d371ee0aa4fa710c00173d296c999a5497a18b38c80095db68a2dc5e46ed35f7
25a6758df930b32eed548fca56735f0ddde442b5662e51c625eadbbaf09c9e96
7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50
920384692233578a59fc8de2b0205fd9fb20bb0d75c1d5a1534377abf0fc08bc
d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959
9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163
6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
337d21f964091417f22f35aee35e31d94fc3f35179c36c0304eef6e4ae983292
b3f473b0fd752fcd8b0d5983366c4ccccdacdceb8d6ba25fcb02b34c622cca78
2084ab8f92a86a37a35879378610949e21ea7b5030313655bb82fe6c67772b0d
637e28b38086ff9efd1606805ff57aaf6cdec4537378f019d6070a5efdc9c983
92072945358b605c024b9e3335fb33b82faf33048c56f5529aaf5af4bf0c1b30
2e2ad6392e75d5a5155498c2a76cb373d17ca3ad4ba57c6d33c623fca5e29342
4cb8365b18b1c319d374be0b9d219144c20fb8714e9cf346e655f854d2c60170
c239dadd55b55b817fda5b0c2bb062adf399a5b78a8b3280a473d3ae66f81777
You can use the following CLI command to search for all Akira samples in our portal:
$ polyswarm link list -f Akira
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.