Ransomware Roundup - Akira

Update 4/24/24 – The latest CISA Advisory #StopRansomware: Akira Ransomware | CISA contains contributions from Fortinet and other industry partners.

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Akira ransomware.

Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows and Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Akira Ransomware Overview

Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023. Like many attackers, the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data. This group also employs a double extortion tactic, demanding a ransom from victims in exchange for file decryption and not leaking stolen information to the public.

Infection Vector

According to an advisory issued by CERT India, Akira typically targets organizations running a VPN (virtual private network) service without multi-factor authentication configured. Purchasing network access from the initial access brokers is another possibility.

Victimology

According to data collected through Fortinet's FortiRecon service, the Akira ransomware group has targeted various industry sectors. While Manufacturing is its most targeted sector, it only leads the second-ranked sector, Business Services, by 2%.

Other industry sectors are mostly evenly targeted, which indicates that the Akira ransomware group victimized any organizations they found vulnerable. When victim organizations are classified by country, the United States is in first place by a significant margin.

As of September 22, 2023, the Akira ransomware group had last posted new victims on September 18th.

Akira Ransomware Execution

Windows version

Once a network has been compromised and data has been exfiltrated, the ransomware group will deploy the Windows version of the Akira ransomware to machines running the Windows operating system. The ransomware looks for and encrypts files on those machines. However, it skips the following file extensions for file encryption:

• .exe
• .dll
• .lnk
• .sys
• .msi

The following directories are also excluded from file encryption:

• tmp
• winnt
• temp
• thumb
• $Recycle Bin
• $SERVICE BIN
• System Volume Information
• Boot
• Windows
• Trend Micro
• ProgramData

The Akira ransomware offers a few command-line options for attackers when executing:

• -p for “encryption_path”: this option allows attackers to specify the paths, files, and folders for file encryption
• -s for “share_file”: this option allows attackers to specify the path of the network share for file encryption
• -n for “encryption_percent”: attackers can specify encryption percentage. The lower the value, the faster the encryption process.

The ransomware adds a “.akira” extension to encrypted files. It then drops the following ransom note, labeled " akira_readme.txt," in every folder where files are encrypted.

It also runs the following PowerShell command to delete Shadow Copies, which makes file recovery difficult.

Linux version

The Linux version of the Akira ransomware targets files with the following extensions for encryption:

".4dd", ".4d", ".accdb", ".accdc", ".accde", ".accdr", ".accdt", ".accft", ".adb", ".ade", ".adf", ".adp", ".arc", ".ora", ".alf", ".ask", ".btr", ".bdf", ".cat", ".cdb", ".ckp", ".cma", ".cpd", ".dacpac", ".dad", ".dadiagrams", ".daschema", ".db", ".db-shm", ".db-wa", ".db3", ".dbc", ".dbf", ".dbs", ".dbt", ".dbv", ".dbx", ".dcb", ".dct", ".dcx", ".dd", ".dlis", ".dp1", ".dqy", ".dsk", ".dsn", ".dtsx", ".dx", ".eco", ".ecx", ".edb", ".epim", ".exb", ".fcd", ".fdb", ".fic", ".fmp", ".fmp12", ".fmps", ".fo", ".fp3", ".fp4", ".fp5", ".fp7", ".fpt", ".frm", ".gdb", ".grdb", ".gwi", ".hdb", ".his", ".ib", ".idb", ".ihx", ".itdb", ".itw", ".jet", ".jtx", ".kdb", ".kexi", ".kexic", ".kexis", ".lgc", ".lwx", ".maf", ".maq", ".mar", ".mas", ".mav", ".mdb", ".mdf", ".mpd", ".mrg", ".mud", ".mwb", ".myd", ".ndf", ".nnt", ".nrmlib", ".ns2", ".ns3", ".ns4", ".nsf", ".nv", ".nv2", ".nwdb", ".nyf", ".odb", ".oqy", ".orx", ".owc", ".p96", ".p97", ".pan", ".pdb", ".pdm", ".pnz", ".qry", ".qvd", ".rbf", ".rctd", ".rod", ".rodx", ".rpd", ".rsd", ".sas7bdat", ".sbf", ".scx", ".sdb", ".sdc", ".sdf", ".sis", ".spq", ".sq", ".sqlite", ".sqlite3", ".sqlitedb", ".te", ".temx", ".tmd", ".tps", ".trc", ".trm", ".udb", ".ud", ".usr", ".v12", ".vis", ".vpd", ".vvv", ".wdb", ".wmdb", ".wrk", ".xdb", ".xld", ".xmlff", ".abcddb", ".abs", ".abx", ".accdw", ".adn", ".db2", ".fm5", ".hjt", ".icg", ".icr", ".lut", ".maw", ".mdn", ".mdt", ".vdi", ".vhd", ".vmdk", ".pvm", ".vmem", ".vmsn", ".vmsd", ".nvram", ".vmx", ".raw", ".qcow2", ".subvo", ".bin", ".vsv", ".avhd", ".vmrs", ".vhdx", ".avdx", ".vmcx", ".iso"

The Linux variant of Akira also uses various symmetric key algorithms for file encryption, including AES, CAMELLIA, DES, and IDEA.

One notable thing about the Linux version is that it excludes the same file extensions and directories from file encryption as the Windows version. This indicates that the attacker has ported the Windows version to Linux.

It also drops the same ransom note as the Windows version:

Data Leak Site

The Akira ransomware group owns its own TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.

Unlike the TOR sites used by other ransomware groups, Akira’s TOR site accepts commands and displays results. For example, executing the “leaks” command will bring up links to the stolen data and the information on victim organizations. The Akira attacker has also made that data available on Torrent.

Another command, “news,” brings up a list of victim organizations and their information. As of September 22, 2023, the latest victims had been posted on September 18.

The Akira ransomware has claimed six victims so far in September 2023. The group went hot in August, victimizing more than 20 organizations.

Hopping on the bandwagon

We have also observed at least a few minor variants of Akira ransomware.

The latest minor variant is Megazord, which came out in late August 2023. “Megazord” evokes the giant robot from the Japanese superhero drama series Power Rangers. The attacker’s pick of “Megazord” is fitting for an Akira variant as the name “Akira” was most likely taken from a popular Japanese cyberpunk comic and movie with the same name. The variant drops a ransom note labeled “powerranges.txt”.

The content of “powerranges.txt” is below:

As shown, Megazord’s ransom note asks victims to visit the Akira ransomware’s TOR site. There is one other Megazord ransomware variant. However, that variant only has the attacker’s Telegram channel and Tox ID for contact methods.

Interestingly, Megazord is written in Rust, whereas a typical Akira build is in C++. This may indicate that future Akira variants will be written in Rust or that it is going through a rebranding. Only time will tell.

Older minor variants came out in May and June of 2023.

One minor variant from May adds a “.iqoj” extension to the encrypted files and leaves a ransom note labeled “readme-asldkas.txt.” Another minor variant from June appends a “.zhq” extension to encrypted files and drops “help-you.txt” as a ransom note. Although the file extensions and ransom note names do not have any “Akira” in them, they still lead victims to Akira’s TOR site.

Fortinet Protections

Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Akira ransomware samples with the following AV signature:

• W64/Akira.A!tr.ransom
• W64/Filecoder.AKIR!tr.ransom
• W64/Filecoder_Akira.A!tr
• W64/Filecoder_Akira.A!tr.ransom
• W64/Generik.NFLQ!tr.ransom
• Linux/Filecoder_Akira.A!tr

FortiGuard Labs detects minor variants of the Akira ransomware samples with the following AV signature:

• W32/Ransom_Win64_MEGAZORD.THIOABC
• W64/Generik.NFLQ!tr.ransom
• W32/PossibleThreat

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning, to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.