About This Threat Profile
First Identified: 2023
Operation style:
Ransomware-as-a-Service (RaaS), affiliate payment structure is unknown; however, it is likely similar to other RaaS operations – 80/20 split.
Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.
Most frequently targeted industry: Industrials (Manufacturing)
Most frequently targeted victim HQ region: United States, North America
Known Associations:
Exotic Lily
IQOJ Ransomware
Megazord Ransomware
ZHQ Ransomware
Conti Ransomware
Karakurt Hacking Team
xanonymoux
Description
Akira ransomware was first observed in March 2023 and operates in the double extortion method, where victims’ data is stolen and leaked if the ransom is not paid. Akira has been linked to the former Conti operation through TTPs, behaviors, blockchain analysis where Akira ransom payments were sent to Conti affiliated wallets. In June 2023, Avast researchers released a decryptor for the Akira ransomware; however, the threat actors then modified their encryptor indicating that the available decryptor no longer works. The group has been observed demanding ransom payments between 200,000 USD and 4 million USD.
Akira operators gain initial access by using unauthorized logon to VPNs by targeting accounts that did not have multi-factor authentication (MFA) enabled, specifically targeting Cisco VPN products, and purchasing credentials or access from initial access brokers (IABs). Additionally, the operators have been observed targeted known vulnerabilities in Cisco, Fortinet, and Veeam products.
Akira’s name is widely believed to be from a 1988 anime movie with the same name. Additionally, the aesthetic is emulated by the operators on their data leak site. The ransomware developers likely based their name on the powerful entity within the anime movies, or from its related manga.
The group’s data leak site does not host actual stolen data like other ransomware operations. The group utilizes links that require Torrenting software to download and view the stolen data. This tactic has previously been observed by the Clop ransomware operation when they listed victims targeted via the MOVEit vulnerability in 2023.
In August 2023, a new variant of the Akira ransomware, Megazord, was observed being deployed. This variant was written in Rust and appends encrypted data with “ .powerranges” , whereas the previous version was written in Microsoft Visual C/C++ and appended encrypted data with “ .akira. ” Additionally, two other variants of Akira were identified in 2023, IQOJ and ZHQ variants. The ransom notes observed with these variants led victims to the Akira TOR site.
Additionally, Akira maintains a Linux version of the malware that uses various symmetric key algorithms for file encryption, including AES, CAMELLIA, DES, and IDEA. The Linux version excludes the same file extensions and directories from file encryption as the Windows version; the ransom notes are the same. This indicates that the threat actor ported the Windows version to Linux.
In November 2023, prior victims of the Akira ransomware variant were contacted by a threat actor identifying themselves as “xanonymoux” who claimed to have gained access to a server hosting victim data exfiltrated by Akira. The threat actor then attempted to extort the victim for additional money in exchange for accessing the server and/or deleting the data from the Akira server. Additionally, xanonymoux claimed the Akira group was associated with the Karakurt Hacking Team; however, evidence of the connection remains unknown.
A ransomware variant was identified in 2017 with the same name; however, analysis revealed that the current-day Akira is very likely a different operation.