Indonesian
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Portuguese
Russian
Spanish
Threat intelligence enriched with External Attack Surface Management, Brand Protection, and Dark Web Radar.
Protect your business from the dangers lurking in the hidden corners of the internet.
Effective threat hunting and threat actor tracking with behavioral analytics.
Discover your assets with a hacker mindset.
Stay ahead of threat actors with actionable intelligence alerts.
Evaluate the security posture of your entire supply network.
Your guide in harnessing the full potential of our platform.
Hear SOCRadar’s impressive achievements from our clients.
Automate and operationalize your security operations.
Consulting and professional services for cybersecurity excellence.
Industry, sector, and region-based in-depth research.
Discover the heartbeat of cyberspace through a collection showcasing the latest incidents.
Discover how XTI empowers organizations to proactively identify, mitigate, and respond to evolving cyber threats.
Register for our live webinars, and watch our on-demand webinars instantly.
Dive deep into the world of cyber threats, advanced analysis techniques, and cutting-edge strategies.
Stay informed and up-to-date on the latest cybersecurity trends.
Explore SOCRadar’s learning experience to fuel your cybersecurity journey with insights that exceed industry standards.
We offer expert-led, and exclusive trainings to help you master the latest in cybersecurity, trusted by over 2,000 top companies.
Scan the dark web to prevent your leaks from turning into real risks.
Instantly access dark web findings about your organization’s assets.
Check if there is anything about you in SOCRadar’s ever-expanding breach database.
Track threat actors and groups by country or industry for effective follow-up.
Explore threat actors’ tactics, techniques, activities, and detailed profiles targeting your industry or region.
All-in-one next-generation tools for investigating everyday events like phishing, malware, account breach, etc.
Power your search with SOCRadar’s IOC Radar.
Let’s get to know each other better.
Broaden your market reach and increase ARR with SOCRadar Extended Threat Intelligence.
Get informed of our upcoming events.
Latest news about our platform, company, and what’s being said about us.
Begin an extraordinary journey in your professional path with SOCRadar.
We’d like to hear from you.
SOCRadar Training Series – Mastering AI in Cybersecurity From Theory to Practice
Resources
[Update] October 1, 2024: “What Are the Latest Akira News?”
Since its discovery in early 2023, Akira ransomware has evolved from a seemingly ordinary addition to the ransomware landscape to a significant threat affecting a wide range of businesses and critical infrastructure entities. This evolution, coupled with its unique aesthetic on its leak site and communications, has drawn attention to its operations.
Akira’s data leak site, home page
As recently published CISA advisory claims, with over 250 organizations impacted and approximately $42 million (USD) in ransomware proceeds claimed as of January 1, 2024.
The ransom group employs a double extortion strategy, first exfiltrating data and then encrypting devices within the targeted network. Payment is then demanded not only for decrypting files but also for preventing the exposure of leaked data.
Threat actor card of Akira Ransomware
The ransomware’s name is believed to have its roots in a 1988 anime movie with a cyberpunk theme. In this film, Akira’s destruction of Neo-Tokyo is portrayed as a preventive measure against a malevolent force taking hold within the city.
This narrative parallels a common argument among ransomware operators who “claim” to perceive the world’s economic system as the source of evil. They often view themselves as modern-day Robin Hoods or Akiras, fighting against what they see as systemic injustices.
Akira (1998), the movie that probably inspired the ransomware group, popular culture is a widely common reference point among the threat actors especially since these kinds of cultural products grow in cyberspace -the internet. (Image: IMDb)
As suggested by CISA, Akira ransomware has impacted numerous businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023. Initially focusing on Windows systems, the threat expanded in April 2023 to target VMware ESXi virtual machines with a Linux variant. As of January 1, 2024, the group has affected over 250 organizations and amassed approximately $42 million (USD) in ransomware proceeds.
Early versions of Akira ransomware, coded in C++, used a .akira extension for encrypted files. Starting in August 2023, some Akira attacks introduced Megazord, a Rust-based encryption tool using a .powerranges extension. The threat actors behind Akira have alternated between Megazord and Akira_v2 (identified by independent investigations) in their attacks.
The Akira ransomware group frequently demands hefty ransoms, primarily targeting large enterprises across North America, Europe, and Australia. Typically, the malware spreads through targeted threat campaigns using phishing emails or exploiting software vulnerabilities, focusing on industries such as education, finance, manufacturing, and healthcare.
Target countries of Akira Ransomware in past year
The significant number of victims in the United States dominates the chart, extremely overshadowing other countries.
This targeted country list shows that the countries closely aligned with the United States, such as the European countries, account for most victims outside the US.
A victim listing of Akira Ransomware
In order to display the victims on the ransomware group’s homepage, which resembles a command line interface, guests must input the “-leaks” command. This command lists the victims in chronological order, starting from the first victim to the most recent.
The victims’ details are accompanied by a torrent magnet link to access the alleged files, along with information regarding the victim, the amount of leaked data, and the portion of data that has been made public.
Unfortunately, the design does not appear to contain any easter eggs
Again, the contact part is done from this interface. When the -contacts command is entered on the command line, the name and then the message are asked.
As specified in the CISA’s advisory:
Initial Access:
Akira threat actors primarily gain initial access to organizations through a Virtual Private Network (VPN) service lacking Multi-Factor Authentication (MFA), often exploiting known vulnerabilities in Cisco systems such as CVE-2020-3259 and CVE-2023-20269. Additional methods include Remote Desktop Protocol (RDP), spear phishing, and credential abuse.
Persistence and Discovery:
After gaining initial access, Akira actors establish persistence by creating new domain accounts and utilizing domain controllers. They leverage post-exploitation techniques like Kerberoasting to extract credentials and use credential scraping tools for privilege escalation. Network scanning tools aid in reconnaissance and identifying domain controllers.
Defense Evasion:
Akira actors may deploy multiple ransomware variants within the same attack, disable security software, and terminate antivirus-related processes to avoid detection.
Exfiltration and Impact:
Tools like FileZilla and WinSCP are used for data exfiltration, while AnyDesk and Ngrok establish command and control channels. Akira utilizes a double-extortion model, encrypts systems, and demands payment in Bitcoin. They threaten to publish data on the Tor network to pressure victims.
Encryption:
Akira employs a hybrid encryption scheme combining ChaCha20 and RSA algorithms, targeting specific file types and sizes. They delete volume shadow copies (VSS) and leave ransom notes to communicate with victims.
Akira Ransom Note (Avast Threat Labs)
Leveraged Tools:
Akira actors use various tools such as AdFind, Advanced IP Scanner, AnyDesk, Mimikatz, RClone, WinRAR, WinSCP, and PowerShell for reconnaissance, remote access, credential theft, exfiltration, and system manipulation.
This Modus Operandi highlights Akira’s sophisticated techniques from initial access to impact, showcasing their evasion tactics, encryption methods, and utilization of diverse tools for malicious activities. For the full details please visit CISA.
For the existing IoCs you may also visit SOCRadar Platform.
SOCRadar’s robust defense strategy is specifically designed to combat the ransomware threat. Our proactive approach to threat monitoring and intelligence solutions is customized to bolster your organization’s security posture effectively. Through our platform, you can actively monitor and analyze threat actors like Akira, gaining in-depth insights into their strategies, targeted vulnerabilities, associations, and signs of compromise. This proactive methodology empowers you to anticipate and mitigate potential threats efficiently, protecting your critical assets.
SOCRadar, Attack Surface Management module with Ransomware Check function
In addition, our Attack Surface Management module, featuring the Ransomware Check function, provides continuous monitoring of all potential attack pathways. This ensures that you receive real-time notifications about any suspicious activities linked to ransomware. By staying ahead of these threats, you can promptly respond and strengthen your cybersecurity defenses, reducing the risk posed by Akira ransomware and other emerging threats.
Akira ransomware has returned to encrypting victims’ files after a phase of focusing solely on extortion without encryption. Cisco Talos researchers, James Nutland and Michael Szeliga, observed this strategic shift, drawing comparisons to the methods used by Karakurt and Cl0p. This move aims to enhance operational efficiency within Akira’s ransomware-as-a-service (RaaS) model.
The group has also resumed using its C++ encryptor for Windows systems, abandoning its brief experimentation with Rust-based encryptors for Linux. Researchers identified the new C++ variant as similar to Akira’s original payload from late 2023, signaling a refinement of its tools rather than a full overhaul.
Akira affiliates have been exploiting vulnerabilities like CVE-2024-40766 to target both Windows and Linux systems. Their ability to adapt, testing different programming frameworks, and targeting high-impact vulnerabilities has secured Akira’s position as a leading ransomware group, especially following law enforcement actions against competitors like LockBit and ALPHV. Microsoft reported that Akira accounted for 17% of ransomware attacks in the past year, reflecting its significant role in the ransomware landscape.
For further information about this latest research refer to Talos’ report.
Subscribe to our newsletter and stay updated on the latest insights!
PROTECTION OF PERSONAL DATA COOKIE POLICY FOR THE INTERNET SITE
Protecting your personal data is one of the core principles of our organization, SOCRadar, which operates the internet site (www.socradar.com). This Cookie Usage Policy (“Policy”) explains the types of cookies used and the conditions under which they are used to all website visitors and users.
Cookies are small text files stored on your computer or mobile device by the websites you visit.
Cookies are commonly used to provide you with a personalized experience while using a website, enhance the services offered, and improve your overall browsing experience, contributing to ease of use while navigating a website. If you prefer not to use cookies, you can delete or block them through your browser settings. However, please be aware that this may affect your usage of our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this site.
1. WHAT KIND OF DATA IS PROCESSED IN COOKIES?
Cookies on websites collect data related to your browsing and usage preferences on the device you use to visit the site, depending on their type. This data includes information about the pages you access, the services and products you explore, your preferred language choice, and other preferences.
2. WHAT ARE COOKIES AND WHAT ARE THEIR PURPOSES?
Cookies are small text files stored on your device or web server by the websites you visit through your browsers. These small text files, containing your preferred language and other settings, help us remember your preferences on your next visit and assist us in making improvements to our services to enhance your experience on the site. This way, you can have a better and more personalized user experience on your next visit.
The main purposes of using cookies on our Internet Site are as follows:
3. TYPES OF COOKIES USED ON OUR INTERNET SITE 3.1. Session Cookies
Session cookies ensure the smooth operation of the internet site during your visit. They are used for purposes such as ensuring the security and continuity of our sites and your visits. Session cookies are temporary cookies and are deleted when you close your browser; they are not permanent.
3.2. Persistent Cookies
These cookies are used to remember your preferences and are stored on your device through browsers. Persistent cookies remain stored on your device even after you close your browser or restart your computer. These cookies are stored in your browser’s subfolders until deleted from your browser’s settings. Some types of persistent cookies can be used to provide personalized recommendations based on your usage purposes.
With persistent cookies, when you revisit our website with the same device, the website checks if a cookie created by our website exists on your device. If so, it is understood that you have visited the site before, and the content to be presented to you is determined accordingly, offering you a better service.
3.3. Mandatory/Technical Cookies
Mandatory cookies are essential for the proper functioning of the visited internet site. The purpose of these cookies is to provide necessary services by ensuring the operation of the site. For example, they allow access to secure sections of the internet site, use of its features, and navigation.
3.4. Analytical Cookies
These cookies gather information about how the website is used, the frequency and number of visits, and show how visitors navigate to the site. The purpose of using these cookies is to improve the operation of the site, increase its performance, and determine general trend directions. They do not contain data that can identify visitors. For example, they show the number of error messages displayed or the most visited pages.
3.5. Functional Cookies
Functional cookies remember the choices made by visitors within the site and recall them during the next visit. The purpose of these cookies is to provide ease of use to visitors. For example, they prevent the need to re-enter the user’s password on each page visited by the site user.
3.6. Targeting/Advertising Cookies
They measure the effectiveness of advertisements shown to visitors and calculate how many times ads are displayed. The purpose of these cookies is to present personalized advertisements to visitors based on their interests.
Similarly, they determine the specific interests of visitors’ navigation and present appropriate content. For example, they prevent the same advertisement from being shown again to the visitor in a short period.
4. HOW TO MANAGE COOKIE PREFERENCES?
To change your preferences regarding the use of cookies, block or delete cookies, you only need to change your browser settings.
Many browsers offer options to accept or reject cookies, only accept certain types of cookies, or receive notifications from the browser when a website requests to store cookies on your device.
Also, it is possible to delete previously saved cookies from your browser.
If you disable or reject cookies, you may need to manually adjust some preferences, and certain features and services on the website may not work properly as we will not be able to recognize and associate with your account. You can change your browser settings by clicking on the relevant link from the table below.
5. EFFECTIVE DATE OF THE INTERNET SITE PRIVACY POLICY
The Internet Site Privacy Policy is dated The effective date of the Policy will be updated if the entire Policy or specific sections are renewed. The Privacy Policy is published on the Organization’s website (www.socradar.com) and made accessible to relevant individuals upon request.
SOCRadar
Address: 651 N Broad St, Suite 205 Middletown, DE 19709 USA
Phone: +1 (571) 249-4598
Email: [email protected]
Website: www.socradar.com