1.Akira Ransomware Overview

Recently, Antiy CERT (a member of the CCTGA Ransomware Prevention and Response Working Group) discovered multiple Akira ransomware attacks. Akira ransomware was discovered in March 2023, and its attack payload has not yet been found to be widely spread. Foreign security vendors found that attackers initially accessed the victim system through VPN ^[1] , so they speculated that the attack organization behind it used a targeted attack mode to carry out ransomware attacks. After the attackers invaded the victim system, they used Remote Desktop Protocol (RDP) tools or other tools to spread within the intranet. The ransomware payload used the AES+RSA algorithm to encrypt files, and no public decryption tools have been found.

The Akira ransomware operates using a “double extortion” model, or “stealing data + encrypting files.” Since April 21, the attack organization behind it has been publishing victim information and stolen data on the Tor website. As of May 30, they had published information on 25 victims and data stolen from the systems of 11 victims, covering industries such as construction, finance, education, and real estate.

Table 1‑1 Akira ransomware overview

Family name	Akira
Appearance time	March 2023​​​
Typical transmission methods	It is speculated that the intrusion was achieved using a targeted attack mode, and then the RDP tool was used to spread within the intranet.
Typical encryption suffixes	.akira
Encryption algorithm	AES+RSA
Decryption tool	No public decryption tool has been found yet
Encryption system	Windows
Is it double extortion?	yes
ransom note

It has been verified that Antiy Intelligent Endpoint Protection System (IEP) can effectively detect and kill the ransomware.

2.Sample Function and Technology Review

2.1 Attack Process

1.After invading the victim’s system through various means, they use tools to obtain information about other hosts on the network;

2.Delivering stealing tools and ransomware payloads to victim systems;

3.The stolen data is transmitted back to the attacker through a specific C2 channel or tool;

4.The attackers displayed the victim’s information on the Tor website used by the group;

Figure 2 ‑1 Victim information

5.After the stealing phase is completed, the ransomware payload is executed, the ransom note is delivered, and the data files are encrypted;

6.The victim negotiated with the attacker through the Tor address information provided in the ransom note;

7.If the victim does not meet the attacker’s demands, the attacker will publish the data stolen from the victim’s system.

Figure 2 ‑2 Public disclosure of stolen data

2.2 Encryption Process

1.After the Akira ransomware sample is executed, it calls a command-line tool to execute commands to delete disk shadow backups , disable system recovery, and bypass Windows Defender security features to ensure the smooth execution of subsequent processes.

2.Obtain the list of current logical drives on the system and place a ransom note named “akira_readme.txt” in multiple paths.

Figure 2 ‑3 Ransom note

Traverse directories and files to search for files to be encrypted, excluding encryption of specific extensions, file names, and folders;

Table 2 ‑1 Exclude encryption extensions, file names, and folders

Extension	File name	Folder
.exe	akira_readme.txt	%tmp%	Boot
.dll	Bootmgr	%temp%	Trend Micro
.sys	BOOTNXT	%programdata%	Windows
.msi	DumpStack.log.tmp	$Recycle.Bin	System Volume Information
.lnk	pagefile.sys	$RECYCLE.BIN
.akira	swapfile.sys	winnt
	ntuser.dat	thumb

4.Import the RSA public key and use the AES algorithm to encrypt the file. The encrypted file extension is changed to .akira;

Figure 2 ‑4 Encrypted file suffix

3.Emergency Response Recommendations

When a machine is infected with ransomware, don’t panic. You can immediately carry out the following emergency measures to reduce the harm caused by the ransomware: isolate the network , classify and deal with it , report it in time , investigate and reinforce it , and provide professional services.

1. First, the machine infected with the ransomware must be disconnected from the network to prevent the ransomware from spreading laterally and continuing to infect other machines in the local area network.
2. Do not restart the machine. Some ransomware has logic problems in its writing, and it is possible to recover some encrypted files without restarting the machine.
3. Don’t rush to reinstall your system, format your hard drive, or do anything else that might damage encrypted documents. Back up encrypted documents first. Encrypted files with a suffix are not contagious and can be copied to any computer for backup and preservation, but the likelihood of recovery is extremely low. Consider waiting for a decryption solution, as some ransomware decryption tools are released for various reasons.
4. While it’s possible to identify the ransomware family type based on information like the extension and ransom note, the precise nature of the ransomware remains uncertain due to a lack of detailed information on how it encrypts and propagates within the user’s network. While it’s possible to obtain virus samples with similar functionality from threat intelligence libraries and simulate the infection process to confirm the identity, the infection process and source still require further refinement. We recommend on-site security services to locate and trace the source.

4.Protective Recommendations

In response to this ransomware, Antiy recommends that individuals and enterprises take the following protective measures:

4.1 Personal Protection

1. Install terminal protection: Install anti-virus software. It is recommended that Antiy IEP users enable the ransomware protection tool module (enabled by default);
2. Strengthen password strength: Avoid using weak passwords. It is recommended to use passwords that are 16 characters or longer, including a combination of uppercase and lowercase letters, numbers, and symbols. Also, avoid using the same password on multiple servers.
3. Change passwords regularly: Change system passwords regularly to avoid password leaks that could lead to system intrusion.
4. Update patches in a timely manner: It is recommended to enable automatic updates to install system patches. Servers, databases, middleware, and other vulnerable parts should be updated with system patches in a timely manner.
5. Close high-risk ports: Minimize external services and close unused high-risk ports such as 135, 139, 445, and 3389;
6. Close PowerShell: If you do not use the PowerShell command-line tool, it is recommended to close it;
7. Regular data backup: Back up important files regularly, and the backup data should be isolated from the host.

4.2 Enterprise Protection

1. Antiy Intelligent Endpoint Protection System for different platforms;
2. Update patches in a timely manner: It is recommended to enable automatic updates to install system patches. Servers, databases, middleware, and other vulnerable parts should be updated with system patches in a timely manner.
3. Enable logs: Enable key log collection functions (security logs, system logs, PowerShell logs, IIS logs, error logs, access logs, transmission logs, and cookie logs) to provide a basis for tracing security incidents.
4. Set up IP whitelist rules: Configure Windows Firewall with Advanced Security, set up inbound rules for remote desktop connections, add the IP address or IP address range to the rules, and prevent brute force attacks from IP addresses outside the rules;
5. Host reinforcement: perform penetration testing and security reinforcement on the system;
6. Deploy an intrusion detection system (IDS): Deploy traffic monitoring software or equipment to facilitate the discovery and tracing of ransomware. Antiy Persistent Threat Detection System (PTD) uses network traffic as the detection and analysis object, and can accurately detect a large amount of known malicious code and network attack activities, effectively discovering suspicious network behavior, assets and various unknown threats;
7. Disaster recovery plan: Establish a security disaster recovery plan to ensure that the backup business system can be quickly activated when a security incident occurs;
8. Antiy Service: If you’re attacked by ransomware, we recommend disconnecting from the internet immediately and securing the site while your security engineers investigate your computer. Antiy’s 24/7 service hotline is: 400-840-9234.
9. It has been verified that Antiy Intelligent Endpoint Protection System (IEP) can effectively detect and kill the ransomware.

Figure 4 ‑1 Antiy IEP can effectively detect and kill the ransomware

5.ATT&CK Mapping Diagram Corresponding to the Incident

Distribution diagram of technical characteristics corresponding to the events:

Figure 5 ‑1 Mapping of technical characteristics to ATT&CK

Specific ATT&CK technical behavior description table:

Table 5 ‑1 ATT&CK Technical Behavior Description Table

A TT&CK stage/category	Specific behavior	Notes
Initial access	Leverage external remote services	Initial access via remote tools
Execute	Utilize command and script interpreters	Delete disk shadows using Power Shell
Defense evasion	Weakened defense mechanisms	Bypass Windows Defender Detection
Credential access	Operating system credential dumping	Use lsass.exe to dump credentials
Discover	Discover files and directories	Discover files and directories to skip encryption
	Discover remote systems	Discover other remote hosts on the network
Lateral movement	Leverage remote services	Remotely access other hosts using RDP
Collect	Compress/encrypt collected data	Compress the stolen data and send it back
Data exfiltration	Use C2 channel for backhaul	The stolen data is transmitted back using the C2 channel
Influence	Data encryption with adverse effects	Use AES+RSA algorithm to encrypt files
	Disable system recovery	Delete disk shadow volume and disable recovery

6.MD5​

MD5

AF95FBCF9DA33352655F3C2BAB3397E2

431D61E95586C03461552D134CA54D16

C7AE7F5BECB7CF94AA107DDC1CAF4B03

E44EB48C7F72FFAC5AF3C7A37BF80587

D25890A2E967A17FF3DAD8A70BFDD832

Appendix 1: References

• Akira Ransomware is “bringin ‘ 1988 back”

Akira Ransomware is “bringin’ 1988 back”

Appendix 2: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.