Ransomware Roundup - Akira
2023-10-12 23:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:12 收藏

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Akira ransomware.

Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows and Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption
Severity level: High

Akira Ransomware Overview

Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023. Like many attackers, the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data. This group also employs a double extortion tactic, demanding a ransom from victims in exchange for file decryption and not leaking stolen information to the public.

Infection Vector

According to an advisory issued by CERT India, Akira typically targets organizations running a VPN (virtual private network) service without multi-factor authentication configured. Purchasing network access from the initial access brokers is another possibility.

Victimology

According to data collected through Fortinet's FortiRecon service, the Akira ransomware group has targeted various industry sectors. While Manufacturing is its most targeted sector, it only leads the second-ranked sector, Business Services, by 2%.

Other industry sectors are mostly evenly targeted, which indicates that the Akira ransomware group victimized any organizations they found vulnerable. When victim organizations are classified by country, the United States is in first place by a significant margin.

Figure 1: Top industry sectors targeted by Akira per FortiRecon.

Figure 2: Akira ransomware victims’ locations in the first half of 2023 per FortiRecon.

As of September 22, 2023, the Akira ransomware group had last posted new victims on September 18th.

Akira Ransomware Execution

Windows version

Once a network has been compromised and data has been exfiltrated, the ransomware group will deploy the Windows version of the Akira ransomware to machines running the Windows operating system. The ransomware looks for and encrypts files on those machines. However, it skips the following file extensions for file encryption:

  • .exe
  • .dll
  • .lnk
  • .sys
  • .msi

The following directories are also excluded from file encryption:

  • tmp
  • winnt
  • temp
  • thumb
  • $Recycle Bin
  • $SERVICE BIN
  • System Volume Information
  • Boot
  • Windows
  • Trend Micro
  • ProgramData

The Akira ransomware offers a few command-line options for attackers when executing:

  • -p for “encryption_path”: this option allows attackers to specify the paths, files, and folders for file encryption
  • -s for “share_file”: this option allows attackers to specify the path of the network share for file encryption
  • -n for “encryption_percent”: attackers can specify encryption percentage. The lower the value, the faster the encryption process.

Figure 3: Files encrypted by Akira ransomware.

The ransomware adds a “.akira” extension to encrypted files. It then drops the following ransom note, labeled " akira_readme.txt," in every folder where files are encrypted.

Figure 4: Akira’s ransom note.

It also runs the following PowerShell command to delete Shadow Copies, which makes file recovery difficult.

Linux version

The Linux version of the Akira ransomware targets files with the following extensions for encryption:

".4dd", ".4d", ".accdb", ".accdc", ".accde", ".accdr", ".accdt", ".accft", ".adb", ".ade", ".adf", ".adp", ".arc", ".ora", ".alf", ".ask", ".btr", ".bdf", ".cat", ".cdb", ".ckp", ".cma", ".cpd", ".dacpac", ".dad", ".dadiagrams", ".daschema", ".db", ".db-shm", ".db-wa", ".db3", ".dbc", ".dbf", ".dbs", ".dbt", ".dbv", ".dbx", ".dcb", ".dct", ".dcx", ".dd", ".dlis", ".dp1", ".dqy", ".dsk", ".dsn", ".dtsx", ".dx", ".eco", ".ecx", ".edb", ".epim", ".exb", ".fcd", ".fdb", ".fic", ".fmp", ".fmp12", ".fmps", ".fo", ".fp3", ".fp4", ".fp5", ".fp7", ".fpt", ".frm", ".gdb", ".grdb", ".gwi", ".hdb", ".his", ".ib", ".idb", ".ihx", ".itdb", ".itw", ".jet", ".jtx", ".kdb", ".kexi", ".kexic", ".kexis", ".lgc", ".lwx", ".maf", ".maq", ".mar", ".mas", ".mav", ".mdb", ".mdf", ".mpd", ".mrg", ".mud", ".mwb", ".myd", ".ndf", ".nnt", ".nrmlib", ".ns2", ".ns3", ".ns4", ".nsf", ".nv", ".nv2", ".nwdb", ".nyf", ".odb", ".oqy", ".orx", ".owc", ".p96", ".p97", ".pan", ".pdb", ".pdm", ".pnz", ".qry", ".qvd", ".rbf", ".rctd", ".rod", ".rodx", ".rpd", ".rsd", ".sas7bdat", ".sbf", ".scx", ".sdb", ".sdc", ".sdf", ".sis", ".spq", ".sq", ".sqlite", ".sqlite3", ".sqlitedb", ".te", ".temx", ".tmd", ".tps", ".trc", ".trm", ".udb", ".ud", ".usr", ".v12", ".vis", ".vpd", ".vvv", ".wdb", ".wmdb", ".wrk", ".xdb", ".xld", ".xmlff", ".abcddb", ".abs", ".abx", ".accdw", ".adn", ".db2", ".fm5", ".hjt", ".icg", ".icr", ".lut", ".maw", ".mdn", ".mdt", ".vdi", ".vhd", ".vmdk", ".pvm", ".vmem", ".vmsn", ".vmsd", ".nvram", ".vmx", ".raw", ".qcow2", ".subvo", ".bin", ".vsv", ".avhd", ".vmrs", ".vhdx", ".avdx", ".vmcx", ".iso"

The Linux variant of Akira also uses various symmetric key algorithms for file encryption, including AES, CAMELLIA, DES, and IDEA.

Figure 5: Encryption algorithms used by the Linux version of Akira ransomware. Note: this screenshot was assembled using several code pieces for clarity.

One notable thing about the Linux version is that it excludes the same file extensions and directories from file encryption as the Windows version. This indicates that the attacker has ported the Windows version to Linux.

It also drops the same ransom note as the Windows version:

Figure 6: Ransom note dropped by the Linux version of Akira ransomware.

Data Leak Site

The Akira ransomware group owns its own TOR site where victims can contact the threat actor. Stolen information and a list of victims are also posted there.

Figure 7: Akira ransomware’s TOR site.

Unlike the TOR sites used by other ransomware groups, Akira’s TOR site accepts commands and displays results. For example, executing the “leaks” command will bring up links to the stolen data and the information on victim organizations. The Akira attacker has also made that data available on Torrent.

Figure 8: Results from the “leaks” command on the Akira ransomware’s TOR site.

Another command, “news,” brings up a list of victim organizations and their information. As of September 22, 2023, the latest victims had been posted on September 18.

Figure 9: A list of Akira ransomware victims on the TOR site.

The Akira ransomware has claimed six victims so far in September 2023. The group went hot in August, victimizing more than 20 organizations.

Hopping on the bandwagon

We have also observed at least a few minor variants of Akira ransomware.

The latest minor variant is Megazord, which came out in late August 2023. “Megazord” evokes the giant robot from the Japanese superhero drama series Power Rangers. The attacker’s pick of “Megazord” is fitting for an Akira variant as the name “Akira” was most likely taken from a popular Japanese cyberpunk comic and movie with the same name. The variant drops a ransom note labeled “powerranges.txt”.

The content of “powerranges.txt” is below:

As shown, Megazord’s ransom note asks victims to visit the Akira ransomware’s TOR site. There is one other Megazord ransomware variant. However, that variant only has the attacker’s Telegram channel and Tox ID for contact methods.

Interestingly, Megazord is written in Rust, whereas a typical Akira build is in C++. This may indicate that future Akira variants will be written in Rust or that it is going through a rebranding. Only time will tell.

Older minor variants came out in May and June of 2023.

One minor variant from May adds a “.iqoj” extension to the encrypted files and leaves a ransom note labeled “readme-asldkas.txt.” Another minor variant from June appends a “.zhq” extension to encrypted files and drops “help-you.txt” as a ransom note. Although the file extensions and ransom note names do not have any “Akira” in them, they still lead victims to Akira’s TOR site.

Fortinet Protections

Fortinet customers are already protected from these malware variants through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Akira ransomware samples with the following AV signature:

  • W64/Akira.A!tr.ransom
  • W64/Filecoder.AKIR!tr.ransom
  • W64/Filecoder_Akira.A!tr
  • W64/Filecoder_Akira.A!tr.ransom
  • W64/Generik.NFLQ!tr.ransom
  • Linux/Filecoder_Akira.A!tr

FortiGuard Labs detects minor variants of the Akira ransomware samples with the following AV signature:

  • W32/Ransom_Win64_MEGAZORD.THIOABC
  • W64/Generik.NFLQ!tr.ransom
  • W32/PossibleThreat

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

SHA2

Note

2a9257c6c74e37d051f78ed5abaa620b71b27fa3604798af077256a128d911bb

Windows version of Akira ransomware

3f4ceeada7ff021c30df1646437d2ab0e55997bbb281444501f6d1f4ea8fa209

Windows version of Akira ransomware

fb2433beb961839b36198e242d0dedb7fa85ab3e08a1141d02874aa4235ac776

Windows version of Akira ransomware

c239dadd55b55b817fda5b0c2bb062adf399a5b78a8b3280a473d3ae66f81777

Windows version of Akira ransomware

4cb8365b18b1c319d374be0b9d219144c20fb8714e9cf346e655f854d2c60170

Windows version of Akira ransomware

772eb611c9ca20b461536fd0bd87d553dcecf3f4c82e26c2378cad40bbf4b0b0

Windows version of Akira ransomware

2e2ad6392e75d5a5155498c2a76cb373d17ca3ad4ba57c6d33c623fca5e29342

Windows version of Akira ransomware

92072945358b605c024b9e3335fb33b82faf33048c56f5529aaf5af4bf0c1b30

Windows version of Akira ransomware

4aaa583a9c554ea8e73d4dee0d53eb12dda17df16388f96c0f6ddbaafbcda813

Windows version of Akira ransomware

637e28b38086ff9efd1606805ff57aaf6cdec4537378f019d6070a5efdc9c983

Windows version of Akira ransomware

2084ab8f92a86a37a35879378610949e21ea7b5030313655bb82fe6c67772b0d

Windows version of Akira ransomware

473326da3fff09ee3e486f5f39c090690437ac8bf8bdce556c8033e8f0d730fc

Windows version of Akira ransomware

b3f473b0fd752fcd8b0d5983366c4ccccdacdceb8d6ba25fcb02b34c622cca78

Windows version of Akira ransomware

cfbcea795524c69a6d28fd9e60e07437d8f2abd23812109430ca2efd46606310

Windows version of Akira ransomware

337d21f964091417f22f35aee35e31d94fc3f35179c36c0304eef6e4ae983292

Windows version of Akira ransomware

6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

Windows version of Akira ransomware

9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163

Windows version of Akira ransomware

d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959

Windows version of Akira ransomware

920384692233578a59fc8de2b0205fd9fb20bb0d75c1d5a1534377abf0fc08bc

Windows version of Akira ransomware

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc

Windows version of Akira ransomware

8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50

Windows version of Akira ransomware

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c

Windows version of Akira ransomware

7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488

Windows version of Akira ransomware

7613fbb940f83173aea126da5cf4319943155f4df25fd2e880eb0c03b1e273f0

Windows version of Akira ransomware

4839fd081e720d7d5091274470679c120378196e1f4faf80c4bac08d8ee7bb8c

Windows version of Akira ransomware

678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33

Windows version of Akira ransomware

8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef

Windows version of Akira ransomware

89f5f29cf6b5bcfc85b506fb916da66cb7fd398cf6011d58e9409c7813e1a6f3

Windows version of Akira ransomware

379ef7c4f6dfae8cc0c8556861ff41930b88c7d9b107a5de10ccd194e1bda0cb

Windows version of Akira ransomware

27009c0abd2709cd5cac4c0135b8f3bed3229b0921601638ba9e90713ede91ea

Windows version of Akira ransomware

8738ba49fcd520789569aea7bf7af890741a745c79ae2bef49b93fb46c076c2b

Windows version of Akira ransomware

25a6758df930b32eed548fca56735f0ddde442b5662e51c625eadbbaf09c9e96

Windows version of Akira ransomware

d371ee0aa4fa710c00173d296c999a5497a18b38c80095db68a2dc5e46ed35f7

Windows version of Akira ransomware

1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Linux version of Akira ransomware

82e25f32e01f1898ccce2b6d5292245759733c22a104443a8a9c7db1ebf05c57

Linux version of Akira ransomware

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

Megazord ransomware (Akira variant)

c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0

Megazord ransomware (Akira variant)

67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4

IQOJ ransomware (Akira variant)

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2

ZHQ ransomware (Akira variant)

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP), is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning, to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.


文章来源: https://feeds.fortinet.com/~/799146137/0/fortinet/blog/threat-research~Ransomware-Roundup-Akira
如有侵权请联系:admin#unsafe.sh