On April 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Netherlands’ National Cyber Security Centre (NCSC-NL) released a joint Cybersecurity Advisory (CSA) that disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with Akira ransomware, identified through FBI investigations and trusted third party reporting as recently as February 2024.
This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.
Akira is a ransomware that emerged in March 2023 and is offered under the Ransomware-as-a-Service (RaaS) business model.
It is reported that this iteration of Akira is completely different from a previous ransomware strain with the same name that was active in 2017, even though they both append the .akira extension to encrypted files.
According to a report published by the Arctic Wolf Labs Team in July 2023, Akira has been linked to Conti ransomware due to code similarities, as both use similar routines such as string obfuscation and file encryption, and by avoiding the same file extensions.
The report states that when Conti’s source code was leaked, multiple adversaries used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators.
Akira’s operators use a website on the TOR network (with a .onion domain) where victims are directed to contact the attackers using a unique identifier found in the ransom message they receive, to initiate negotiations. If ransom demands are not met, the group will use this TOR-based site to list victims and any stolen information, as Akira steals victims’ critical data prior to encrypting devices and files.
According to reports, Akira operators provide victims the option to pay for either file decryption or data deletion; they don’t force victims into paying for both. Ransom demands for Akira are reported to range from 200,000 USD to over 4 million USD.
AttackIQ has released a new attack graph that emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Akira ransomware during recent activities with the aim of helping customers validate their security controls and their ability to defend against this worldwide threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
This attack graph emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Akira ransomware during recent activities.
This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by the reports published by Darktrace on September 13, 2023, Trend Micro on October 5, 2023, and Trellix on November 29, 2023.
This stage starts immediately after the adversary has gained access by brute forcing through the Remote Desktop Protocol (RDP). Once accomplished, the adversary will attempt to acquire persistence in the system by creating an administrative account named itadm
.
Subsequently, the adversary will seek to obtain information about local and domain accounts as well as details related to the network to which the compromised system belongs, listing Domain Controllers, Trusted Domains, and the Active Directory.
Create Account: Local Account (T1136.001): This scenario will create a new account with the name itadm
using net user
.
Permission Groups Discovery (T1069): This scenario will enumerate permission groups using the net localgroup
and net group /domain
commands.
Remote System Discovery (T1018): This scenario executes the nltest
command to gather a list of domain controllers associated with a domain.
Domain Trust Discovery (T1482): This scenario calls the native nltest
utility with the /trusted_domains
option to retrieve a list of trusted Active Directory domains associated with this host.
Remote System Discovery (T1018): This scenario will perform Active Directory discovery by leveraging the Adfind utility.
The second stage of this attack begins by downloading and saving a Kerberos Ticket dumper, which will be used to perform the Kerberoasting technique to acquire elevated privileges.
Then, the adversary will search for the Local Security Authority Subsystem Service (LSASS) in order to dump it in a MiniDump file, which will then be used by Mimikatz to acquire credentials. In case of failure, the adversary will resort to the credential stealer known as LaZagne.
Finally, the adversary will use the acquired credentials to move laterally to previously identified systems on the network via Remote Desktop Protocol (RDP).
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003): This scenario will implement the Kerberoasting technique, which allows an attacker to attempt to extract password hashes for accounts using their Service Principal Name (SPN) ticket.
Process Discovery (T1057): This scenario uses the Window’s built-in tasklist
command to discover running processes, and the results are saved to a file in a temporary location.
OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe
with comsvcs.dll
to call the MiniDump
export that will dump the LSASS
process memory to disk. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz
is then used to dump the credentials from that minidump file.
OS Credential Dumping (T1003): This scenario uses the open-source tool LaZagne to dump all possible credentials available on the host.
Browser Bookmark Discovery (T1217): This scenario will execute a PowerShell script that will iterate through each user profile on the system and attempt to flush the data from the WebCache log files back to the WebCacheV01
database using the esentutl
utility. Once the data has been flushed, a copy of the database will be made to a temporary directory.
Remote Desktop Protocol (T1021.001): This scenario will attempt to move laterally to another previously discovered host through Remote Desktop Protocol (RDP) by using the dumped credentials.
The last stage begins with the deployment of Akira ransomware, which will first attempt to delete Volume Shadow Copies using WMI Objects. Next, it will retrieve information about the processor to proceed with the collection and encryption of files on the system.
Finally, once encryption has been achieved, the ransomware will exfiltrate the collected information via File Transfer Protocol (FTP) in order to support its double extortion efforts.
Inhibit System Recovery (T1490): This scenario will attempt to delete a recent Volume Shadow Copy created by the assessment template by using Get-WMIObject Win32_ShadowCopy
.
System Information Discovery (T1082): This scenario executes the GetSystemInfo
Native API call to retrieve information associated to the system.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by Akira ransomware.
Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.
In addition to the released assessment template, AttackIQ recommends the following scenarios to extend the emulation of the capabilities exhibited by Akira ransomware.
ntdsutil.exe
utility to dump the NTDS.dit
file along with the SYSTEM and SECURITY registry hives.Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.
Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.
Search for executions of comsvcs that attempt to access the LSASS process.
Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)
MITRE ATT&CK recommends the following mitigation recommendations:
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Akira ransomware affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.
AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.