The Evolution of Akira Ransomware

Verticals Targeted: Aerospace, Manufacturing, Professional Services, Scientific and Technical Services, Retail, Construction, Insurance, Telecommunications, Hospitality, and Legal Services

Executive Summary

Akira ransomware is one of the most prolific ransomware families of 2024. Active in the wild since April 2023, Akira has continued to evolve, maintaining its relevance on the threat landscape.

Key Takeaways

• Active since 2023, Akira ransomware is one of the most prolific ransomware families of 2024.
• In 2024, Akira has exhibited an evolution that includes a new encryptor, exploiting new CVEs for initial access, and a shift in extortion tactics. 
• Verticals targeted by Akira in recent months include aerospace, manufacturing, professional services, scientific and technical services, retail, construction, insurance, telecommunications, hospitality, and legal services. 
• Due to its change in TTPs, adaptability, and its continued relevance on the threat landscape, PolySwarm analysts consider Akira to be an evolving threat.

What is Akira?

Akira ransomware is one of the most prolific ransomware families of 2024. Active in the wild since April 2023, Akira has continued to evolve, maintaining its relevance on the threat landscape. Earlier this year, Akira released an updated version of its encryptor. More recently, Akira released yet another updated ransomware encryptor, which is capable of targeting both Windows and Linux systems. Cisco Talos recently reported on this activity. 

2024 has seen the evolution of Akira, with new TTPs and exploits being used to keep it relevant on the threat landscape. Akira was originally written in C++, but this year, a new Rust-based variant of its ESXi encryptor was released. The developers appear to be experimenting with new programming techniques and iteratively building the payload’s functions. This variant was followed by yet another retooling, reverting back to C++ based ransomware.

The threat actors behind Akira are known to exploit common infection vectors to obtain initial access to the victim network. This has often included using compromised VPN credentials. More recently, the threat actors have been observed targeting network appliances that are vulnerable to CVE-2024-40766, which is an exploit facilitating remote code execution (RCE) on certain SonicWall SonicOS devices. The threat actors have also been observed exploiting CVE-2020-3259, CVE-2023-20263, and CVE-2023-48788. Once the threat actors have established a foothold in the victim network, they use PowerShell scripts for credential harvesting and privilege escalation. They also delete system shadow copies to hinter data recovery. They use RDP connections for lateral movement and use a variety of techniques to evade detection. 

Akira’s extortion-focused TTPs have also evolved. Historically, the threat actors behind Akira used a double extortion model, demanding a ransom payment to decrypt files and leveraging the threat of public release of stolen data to coerce payment. Earlier this year, Akira began to discard the encryption tactics, focusing primarily on data exfiltration, likely while its encryptor was being reworked. Following the release of the new encryptor, the threat actors again began to use double extortion tactics. 

Akira was observed targeting a Latin American aerospace entity in June 2024. Other verticals targeted by Akira in recent months include manufacturing, professional services, scientific and technical services, retail, construction, insurance, telecommunications, hospitality, and legal services. Due to its change in TTPs, adaptability, and its continued relevance on the threat landscape, PolySwarm analysts consider Akira to be an evolving threat.

IOCs

PolySwarm has multiple samples of Akira.

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77

87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42

3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30

6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84

43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72

8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c

bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a

678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33

6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc

5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5

3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75

dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198

28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a

7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be

2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83

9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c

131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07

You can use the following CLI command to search for all Akira samples in our portal:

$ polyswarm link list -f Akira

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.