Akira ransomware group’s changing tactics: What you need to know

Clop ransomware gang exploits SysAid server bug

The Akira ransomware group has proven to be a significant threat to small- and medium-sized businesses — especially SMBs in Europe, North America, and Australia. The group has notably targeted the government sector. This article explores the Akira group’s changing tactics and how organizations can protect themselves.

Since October, the Akira gang has conducted extortion-only operations. In these attacks, data is stolen from victims' environments without deploying ransomware and encrypting systems and data. This marks a significant change in the Akira group's attack methods and how organizations must defend their systems and data.

Akira ransomware group tactics

According to research from Sophos X-Ops, Akira often breaches systems by gaining unauthorized access to the target organization's VPNs, typically through a compromised login such as a username/password combination. The group also exploits vulnerabilities in VPN software, such as Cisco ASA SSL VPN or Cisco AnyConnect.

Once an endpoint is compromised, the Akira group uses several methods to obtain the necessary credentials to move laterally within the organization and advance its goals. These include performing a mini-dump of the LSASS (Local Security Authority Subsystem Service) process memory (which stores some credentials after a user logs into something), obtaining credentials stored in the Active Directory database, and exploiting known vulnerabilities in backup software.

Akira has used several tools and techniques to gain persistence with compromised systems. These include Remote Desktop Protocol (RDP), SMB (Server Message Block, which is a network communication protocol), and the Impacket module wmiexec (a remote command shell). The group also utilizes a service manager tool known as nssm.exe to create malicious services and establish remote access to compromised machines.

Like many attackers that leverage exploits and malware, the group tries to uninstall or disable security defenses, whether anti-malware or monitoring tools. According to Sophos, the Akira group also uses the runas command (a Windows command-line tool that enables the execution of apps, scripts, etc., with different user permissions from the currently logged-in user) to execute commands. This makes it more challenging for defenders to track their activity.

Most ransomware attackers rely on some form of command and control (C2) mechanism. A C2 system is what these cybercriminals use to communicate and control with an infected machine or network. The C2 server can control the ransomware deployment and encrypt data on the targeted systems. 

Akira often uses AnyDesk to establish persistent remote access to multiple systems within the network. According to Sophos, in one incident the company observed, Akira dropped a custom-made Trojan that communicated with the IP address under the attacker's control. This way, the group could maintain a foothold.

When it comes to data exfiltration, Akira relies on several tools. These include WinRAR, WinSCP, rclone, and MEGA to exfiltrate sensitive information from target environments. Increasingly, this is the focus on the group rather than deploying ransomware. After they exfiltrate the data, the group will demand a ransom from the victim, and if that ransom isn't paid, the group threatens to leak the stolen and often sensitive or regulated data.

When the ransomware group encrypts victim data, Akira uses a combination of AES and RSA algorithms. They will also delete Windows Shadow Volume Copies from devices by running a PowerShell command, making it harder for victims to restore their systems and recover the encrypted data. 

To defend against Akira's new attacks, as well as most ransomware attacks more broadly, organizations should consider employing the following security controls:

Get a handle on identity and access management.

This includes strengthening access control through the implementation of multi-factor authentication. Because Akira often gains initial access through unauthorized login to VPNs by accounts lacking MFA, simply implementing MFA can significantly reduce the risk of such unauthorized access.

As mentioned, Akira uses various methods to obtain credentials, including performing a mini-dump of the LSASS process memory, obtaining credentials stored in the Active Directory database, and exploiting vulnerabilities in backup services. As a result, organizations should ensure that their credentials are securely stored and regularly updated and backup services are also secured.

Additionally, because Akira establishes persistence by creating user accounts, adding them to security-enabled local groups, and resetting passwords for multiple domain accounts, monitoring for such activity and regularly updating passwords can help prevent persistence and privilege escalation. These steps will also help harden the organization from many attacks.

Double down on patch management.

Akira is known to exploit known vulnerabilities in VPN software. Regular patching and updating of software can help prevent such exploits.

Monitor for unusual activity.

Akira uses built-in commands and tools to discover additional systems in the environment and identify the status of target devices. Monitoring for unusual network activity can help detect such behavior. It's also essential to monitor for data exfiltration. Monitoring for large data transfers and unusual network activity can help detect and prevent data exfiltration.

Secure C2 channels.

Akira uses popular dual-use agents like AnyDesk to establish persistent remote access. Monitoring for unusual remote access activity and securing C2 channels can help prevent attacks.

Secure Remote Desktop Protocol (RDP).

Akira often uses RDP with valid local administrator user accounts for lateral movement. Securing RDP and monitoring for unusual RDP activity can help prevent lateral movement.

Implement endpoint protection.

Akira also attempts to uninstall endpoint protections to evade detection. Implementing robust endpoint protection and regularly monitoring for attempts to disable or uninstall such protections can help detect and prevent attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.