New Ransomware Group
In March 2023, a brand new Ransomware group emerged from the underground of the dark web called Akira. The ransomware group have recently been building an impressive list of ransomware victims on their dark website, which has also gained attention for the unique website design which resembles a computer command line. The group have breached multiple giant corporate networks and has demanded giant million-dollar ransomware payments. Since the group's launch, they have attacked sixteen companies and counting. It appears the group have not been focusing on one particular industry, but rather a diverse portfolio of organisations, which includes attacks on the education, finance, real estate, manufacturing, and consulting industries. A percentage of these industries appear to be critical infrastructure organisations.
This shows that the group are following the mainstream attack model of attacking essential business to a computer to cause upset within the organisation and community. This model can lead to a higher likelihood of receiving an extortion payment from the organisation, due to this business needing their essential online infrastructure to complete their tasks. A sample of the Akira ransomware discovered by the threat hunting team 'MalwareHunterTeam' shows that Akira will delete the copy of Windows Shadow Volume on the target device by running a PowerShell command. Once this command is executed the ransomware will proceed to encrypt every file on the victim network that contains the top 145 file extensions. However, while encrypting the encryptor will skip files found in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. As well as skipping the Windows system files with .exe, .lnk, .dll, .msi, and .sys file extensions. Once the encryption has been completed the affected files will now contain the files extension .akria.
The group also uses the Windows reset manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption. The user will also receive a ransomware note labelled 'akira_readme.txt' which will include a link to their dark web site and what has occurred to the victim's files. Therefore, each victim will receive a unique negotiation password that can be entered into the chat function on Akira's tor site, giving victims the ability to negotiate with the threat actors, which can be extremely large. An independent journalist claimed it can range from $200,000 - $1,000,000.
To protect your organisation from threats such as Akira ransomware, it is key to implement protective measures. Such as making sure your corporate infrastructure and network are secure and up-to-date. This could include implementing more up-to-date and secure firewalls or anti-malware, regularly updating software used by your organisation to remediate new bugs and flaws uncovered by developers and restricting access to sensitive data. This could contain instructing employees on how to spot suspicious emails from third parties, reminding employees to not click on links from unknown parties, and explaining to them that if they see anything suspicious it should be reported to the correct department. Finally, it is also key to implement an incident response plan in the case of a successful attack. This plan should include backing up important data, building a protocol for communicating with customers and stakeholders, and working with the correct authorities to investigate the attack. Here at DarkInvader, we are actively scanning the public and private web in search for your companies domain to protect the business against any potential cyber attack.