A new ransomware strain named Akira has emerged, causing significant disruption to corporate networks worldwide. It targets industries such as finance, real estate, and manufacturing. Akira has quickly gained notoriety since its launch in March 2023. Upon execution, Akira deletes Windows Shadow Volume Copies, making file restoration challenging. It selectively encrypts files using various extensions, appending “.akira” to their names. During the encryption process, the encryptor selectively excludes files in specific folders such as Recycle Bin, System Volume Information, Boot, ProgramData, and Windows. Additionally, it refrains from encrypting essential Windows system files with extensions like .exe, .lnk, .dll, .msi, and .sys.
The ransomware’s unique aspect is its double extortion approach. Before encrypting files, the ransomware operators exfiltrate sensitive corporate data to leverage during extortion. Data leak sites have already revealed stolen information, emphasizing the urgency for organizations to act. Akira demands ransoms ranging from hundreds of thousands to millions of dollars. However, negotiations are possible, especially for those seeking to prevent public data leaks. Victims receive unique negotiation passwords to access the threat actor’s communication platform. It’s crucial for affected organizations to carefully evaluate their response strategies and consult experts to navigate this evolving threat landscape. Akira ransomware poses a grave risk to corporate networks, employing encryption tactics and data breaches to extort significant ransoms.
Some indicators of compromise (IOCs) to look out for are:
- SHA-1: c4d6c1fd4c1a702a2302cc62bce7d770e5b7369c
- Files Dropped: C:\$SysReset\AppxLogs\readme-asldkas.txt and %USERPROFILE%\AppData\Local\Temp\__PSScriptPolicyTest_mosvw3pu.vr2.ps1
- Associated Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject
- Associated IPv4 Addresses: 20.99.133.109, 20.99.186.246, 20.99.185.48, 192.229.211.108
Organizations impacted by Akira must prioritize cybersecurity measures and seek expert guidance. While negotiations proceed, it is advisable to refrain from paying ransoms until the potential for a free decryptor is assessed. Swift action and informed decision-making are paramount to mitigating the impact of Akira and protecting sensitive data. Mitigation measures for the Akira ransomware and similar threats include keeping VPN appliances up to date with patches and updates, implementing strong access controls like multi-factor authentication, monitoring network traffic for suspicious activities, deploying endpoint security solutions, regularly backing up critical data offline, providing security awareness training to employees, and developing an incident response plan.