what is akira
Akira is a new family of ransomware, first used in cybercrime attacks in March 2023.
Akira? Haven’t we heard of this before?
Maybe you’re thinking of the comic books and cyberpunk manga that came out in the 80s. Or maybe you’re thinking of a Unrelated ransomware of the same name which grew in 2017.
Maybe that’s all. So what’s the scoop on Akira’s new ransomware?
There are two main reasons why the new Akira ransomware is grabbing the headlines – the organizations it’s extorting, and its strange data leak site.
Okay, so one thing at a time. Who is Akira holding to ransom?
According to postings on Akira’s dark web leak site, the ransomware has already hit a variety of organizations in the finance, real estate, and manufacturing sectors, as well as a daycare center.
Why would someone try to extort money from a daycare center?
It’s simple to answer. Of money. Most criminals behind ransomware attacks have no qualms about who they are trying to force to pay. To them it doesn’t matter if you run a hospice, a children’s school, a charity or a large multinational business. Of course, at the same time we must recognize that many ransomware attacks simply do not discriminate between their victims. The Toronto daycare affected by the Akira ransomware may not have been particularly targeted — it may just have been a victim of bad luck.
So when hackers break into your company’s systems, what do they do?
Before running Akira’s ransomware encryption routine and posting a ransom demand, cybercriminals extract data from compromised corporate networks. Then, believing they have stolen enough information to effectively extort payment from their victim, hackers deploy Akira’s payload.
So does Akira follow the usual routine? Encrypt your data files?
Yes, but first it deletes the Windows Shadow volume copies from devices by running a PowerShell command. Then, you guessed it, it goes on to encrypt a wide variety of data file types, appending “.akira” to the end of their file name. According to A Report By Creepy computerFiles with the following extensions are encrypted in the attack:
.abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf, .adn, .adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wal, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx, .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .nsf, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff
So, if my company doesn’t have a secure backup that it can recover these files from, it could find itself in a sticky pickle…
Right. The ransomware issues a ransom note to each folder where it encrypted your files, and tells you that you will have to enter into negotiations to get your data back.
“By dealing with us, you will save a lot because we are not interested in ruining you financially. We will study in depth your finances, banks and profits, your savings, investments, etc. and present to you our reasonable demand. If you have active cyber insurance, let us know and we will guide you on how to use it True. Also, dragging out the negotiation process will lead to the failure of the deal.”
How nice of them!
hmm In addition, the ransom note offers a “security report” with the payment that the hackers say will reveal the weaknesses that allowed them to wreak their havoc.
“The security report or exclusive first-hand information you will receive upon obtaining an agreement is invaluable, as no full audit of your network will show you the vulnerabilities we were able to identify and use to get in, identify backup solutions and upload your data.”
Their generosity knows no bounds! I guess they won’t be so friendly if my girlfriend refuses to pay the ransom?
Right.
“We will try to sell personal information/trade secrets/databases/source codes – in general, anything that has value on the dark market – to multiple threat actors in one. Then all this will be published on our blog.
Ah. You mentioned that their dark web leak site was unusual. Why?
Perhaps it was the case that the ransomware authors felt they couldn’t be very creative with the visual appearance of the ransomware themselves (as they wouldn’t want it to draw too much attention to itself), so they put their efforts into it. instead of a leak. Leak site Akira, like its adopted name, seems to be happy living in the 80s. The site, which can be reached via Tor, adopts an old-school green-on-black theme, where visitors are invited to type commands rather than navigate a menu.
I’ll be honest with you, I love the look of it!
As well. But I’d probably feel less good about it if it was my data they were extorting for a ransom ranging from $200,000 to millions of dollars.
It’s a shame they didn’t stay with the retro style and charge 80’s prices!
Too bad they commit a crime at all. Our best advice is to follow the same recommendations we gave on how to protect your organization from other ransomware. These include:
- Making secure backups off-site.
- Running up-to-date security solutions and ensuring your computers are protected with the latest security patches against vulnerabilities.
- Limit an attacker’s ability to spread laterally through your organization through network segmentation.
- Use unique, hard-to-crack passwords to protect sensitive data and accounts, as well as enable multi-factor authentication.
- Encrypt sensitive data wherever possible.
- Reducing the attack surface by disabling functionality your company doesn’t need.
Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The views expressed in this author’s article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
