Chris Swagler | May 18th, 2023

A new ransomware group, Akira, is quietly amassing a victim list as it breaches global companies’ networks, encrypts files, and demands million-dollar ransoms. Akira, launched in March 2023, claims to have already attacked 16 companies. The companies operate in various industries, including education, finance, real estate, manufacturing, and consulting. Even though another malware known as Akira was released in 2017, it isn’t believed that both operations are connected.

A malware-hunting team discovered a sample of the Akira ransomware, which was shared for analysis. Akira will erase Windows Shadow Volume Copies on devices when executed by running the following PowerShell command: powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove WmiObject”. Following that, the ransomware will encrypt files using the following file extensions:

The encryptor will skip files discovered in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders while encrypting. Additionally, it will prevent encrypting Windows system files with the file extensions .exe, .lnk, .dll, .msi, and .sys. The ransomware encrypts files and appends the .akira extension to the filename when encrypting files. A file called 1.doc, for example, would be encrypted and renamed 1.doc.akira in the encrypted folder. Akira uses the Windows Restart Manager API to terminate processes or shut down Windows services that can prevent encryption by keeping a file open. Each computer folder will contain a ransom note called “akira_readme.txt,” which contains information on what happened to victims’ files and links the Akira data leak and negotiation sites. As for the data, if an agreement can’t be reached, the ransomware group will attempt to sell personal information, trade secrets, databases, source codes, and anything with value on the dark market to numerous threat actors. The Akira ransom note threatens to publish all the information on their blog. Each victim is given a unique negotiation password, which they type into the threat actor’s Tor site. In contrast to numerous other ransomware operations, the negotiation site provides a chat interface through which victims can negotiate with the ransomware group.

Like other ransomware groups, Akira will infiltrate companies’ networks and propagate laterally to other devices. The threat actors will deploy the ransomware throughout the networks once they have obtained Windows domain admin credentials. However, the threat actors will steal companies’ data to use as leverage in their extortion attempts before encrypting the files, warning victims that the data will be publicly released if a ransom is not paid. The Akira group puts a lot of effort into their data leak site, giving it a retro appearance and allowing visitors to navigate it by typing commands. Akira leaked data from four victims on their data leak site, with the sizes of leaked data ranging from 5.9 GB for one company to 259 GB for another. The ransomware group’s ransom demands range from $200,000 to millions. Additionally, the group is willing to cut ransom demands for companies that don’t require a decryptor and wish to prevent the stolen data from being leaked. The ransomware is currently being investigated for weaknesses, and victims are advised not to pay the ransom until it’s confirmed whether a free decryptor can recover files for free.

With new ransomware groups emerging in the wild and targeting companies in various industries, high-profile companies need to remain vigilant in the current threat landscape and keep backups of data networks to prevent paying ransom demands. At SpearTip, we engage in hundreds of responses to ransomware events annually. Our team of experts will help guide companies through the technical aspects of the response. The outline below gives high-level insight into the different stages the engagement will typically go through as their IT operations are restored, and forensics is conducted. Our first step is to complete a full ransomware threat assessment, so we can discover what problems exist and fix them for companies. We won’t be able to adequately protect companies from dangerous threats without knowing all the possible risks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.