Wednesday, January 3, 2024

Akira, again: The ransomware that keeps on taking

Akira is a ransomware family that has been active since March 2023. It is known for its highly experienced and skilled operators who use various tactics to gain initial access, persistence, and evade defenses. The operators have been observed using compromised VPN credentials, targeting vulnerable Cisco VPNs, and creating a new domain account on the compromised system. They also use PowerTool or a KillAV tool that abuses the Zemana Discovery, PCHunter, SharpHound, AdFind, net Windows command, nltest, Advanced IP Scanner, and MASSCAN to gather system and domain information. The ransomware is named after a 1988 anime movie with the same name, and its operators use a cyberpunk aesthetic on their leak site. The ransomware targets corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from spreading. According to Trend Micro's open-source intelligence research, Akira ransomware actors compromised 107 organizations between April 1 to August 31, 2023. The ransomware remains active and continues to evolve.

IoC

    IPv4

  • 45.227.254.26
  • 80.66.88.203

    SHA256

  • 1c1ef7736dd95ea9aa2dc5784dc51977a1d890c92159e16315ef15546556bcdf
  • 2b02d732c6c46d8cb3758851c9e79a52761956109f55407c1a5d693a8a1af1f3
  • 681697c35dbb1beba9886f5c44882ccca32dd7e9e483a381e981e7409a0e35cb
  • b711f7617f507053a131a75b0971409f76663b404aa1c51bfbe2cd32f2ac8fb8
  • be8257317bea80a1ed670d70eb4f21bba246c266a59724185b366c2dcfb2b8ea
  • dfee389e1ffa09ed81adcf0d0f165d859e0c045ad7d90f6edcf3f96dfcceba2b

    IPv4

  • 152.89.196.111
  • 185.11.61.114
  • 194.26.29.102
  • 91.240.118.29

REFERENCES

  • https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
  • https://darktrace.com/blog/akira-ransomware-how-darktrace-foiled-another-novel-ransomware-attack
  • https://www.sentinelone.com/anthology/akira/
  • https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
  • https://otx.alienvault.com/pulse/658c45ad9b174d9cf1b26ce0

TAGS

winrar, winscp, veam, mega, ransomware, anydesk, ngrok

at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential informa...