Akira Ransomware Using Compromised Credentials and Public Tools in New Wave of Cyberattacks

The cybersecurity landscape faces a mounting threat as the Akira ransomware group intensifies operations, marking a significant evolution since its emergence in March 2023.

This sophisticated threat actor specializes in leveraging compromised credentials to access vulnerable VPN services lacking multi-factor authentication, predominantly exploiting known Cisco vulnerabilities.

Once inside a network, Akira deploys an arsenal of publicly available tools for reconnaissance, lateral movement, and data exfiltration before executing its encryption payload.

The impact of Akira’s operations has been substantial, with over 250 organizations across North America, Europe, and Australia falling victim as of January 2024.

The group has amassed approximately $42 million in ransom payments, targeting diverse sectors with particular focus on Education, Finance, Manufacturing, and Healthcare industries.

In a particularly aggressive campaign during November 2023, the group posted over 30 new victims on their data leak site in a single day, demonstrating their expanding operational capacity.

Akira employs a double extortion strategy, first exfiltrating sensitive data before encrypting files on target systems.

This approach maximizes pressure on victims, who face both operational disruption and the threat of confidential information exposure.

According to their leak site, the group has compromised over 350 organizations, with victims who refuse payment seeing their data published in the dedicated “Leaks” section.

Darkatlas researchers identified a significant technical evolution in Akira’s toolkit, noting a transition from early C++ variants to more sophisticated Rust-based code.

“The incorporation of ‘Megazord’ in August 2023 represents a substantial upgrade in their capabilities,” noted Dark Atlas analysts after examining multiple attack patterns. “This shift allows for more efficient encryption processes and improved evasion techniques”.

The ransomware has undergone notable improvements, with the Akira_v2 variant introducing advanced features such as targeted encryption paths, customizable encryption percentages, and specialized virtual machine targeting capabilities.

The newest version utilizes a unique Build ID as a run condition, hindering dynamic analysis attempts by security researchers.

Infection Chain and Technical Arsenal

Akira’s initial access strategy relies heavily on compromised VPN credentials, particularly targeting services without multi-factor authentication.

Once inside, the group deploys tools like Advanced IP Scanner and SoftPerfect Network Scanner to map the network environment.

For credential harvesting, they utilize sophisticated techniques including Kerberoasting and memory dumping tools such as Mimikatz to extract credentials from LSASS processes.

The attackers create persistence through new domain accounts, with FBI reporting instances of administrative accounts named “itadm” being established.

For data exfiltration, Akira operators employ a combination of legitimate utilities:-

RClone.exe - aaa647327ba5b855bedea8e889b3fafdc05a6ca75dlcfd98869432006d6fecc9
WinSCP.rnd - 7d6959bb7a9482elcaa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4

These tools facilitate the transfer of stolen data to attacker-controlled infrastructure before encryption begins.

The final stage involves deploying either the .akira or .powerranges file extension encrypted files, followed by ransom notes directing victims to a .onion URL for payment negotiations.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Akira Ransomware Using Compromised Credentials and Public Tools in New Wave of Cyberattacks appeared first on Cyber Security News.