The MalwareHunterTeam produced analysis of a newly emerged ransomware gang and variant called Akira. The group claims to have already attacked more than a dozen organizations across multiple industry verticals including education, finance, and manufacturing.
This group is not believed to be associated with another ransomware operator also called Akira that was active back in 2017, according to the researchers.
Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and is designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.
Akira attacks thus far include data exfiltration with the threat to expose or sell the data should the victim fail to come to terms with the attackers. Akira has already reportedly leaked hundreds of gigabytes of stolen data from at least four victims.
"As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog," the ransom note explains, per BleepingComputer.
The Akira extortion platform also includes a chat feature for victims to negotiate directly with the attackers.
“Each victim has a unique negotiation password that is entered into the threat actor's Tor site. Unlike many other ransomware operations, this negotiation site just includes a chat system that the victim can use to negotiate with the ransomware gang,” BleepingComputer reported.
Takeaway: Akira is just one of many ransomware operators to emerge recently, joining the likes of Rorschach, Cylance, Trigona, MoneyMessage, Nokoyawa and more. We’ve also seen a number of established ransomware gangs fall off the map recently, including Hive, Conti, Pysa, DoppelPaymer and REvil, to name just a few.
Some groups dissipated because a decrypter was released for their ransomware, members were arrested or operations disrupted by law enforcement, or the members simply chose to abandon a brand and reorganize under a different moniker with updated payloads and tooling.
While there is constant change in the ransomware economy, what has not changed is the fact that these criminal organizations continue to be profitable. Also, the increase in data exfiltration associated with ransomware attacks is presenting a whole other problem for victim organizations.
So, when does a ransomware attack become a ransomware attack? At initial ingress? When command & control is established? When data is exfiltrated? Or is it only a ransomware attack once the ransomware payload has been delivered?
Preventing, detecting and responding to the widespread and disruptive system and data encryption creates shorter-term issues that need to be addressed, and if the organization can survive if they were prepared to be resilient.
The longer-term issue is that, even if they are prepared to respond and recover from a ransomware attack, the fact that sensitive data was exfiltrated means the organization is exposed to brand damage, loss of intellectual property and their competitive advantage in the market and are open to legal liability issues should the data be regulated.
Organizations need to think far left of “boom” when preparing to respond to a ransomware attack, because today’s more complex, multi-stage attacks are focused on data exfiltration as well as the delivery of the ransomware payload at the end of the attack sequence.
A ransomware attack begins when the threat actors identify a potential victim and begin reconnaissance. If organizations are defending adequately, the attack can be stopped at any of the preceding stages before we ever see the ransomware payload introduced, and we’d never even know it was potentially a ransomware attack.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.