Akira _v2

Malware

⚠️ Overview

Akira _v2 is a Rust-based ransomware variant first detected in March 2024 as an evolution of the original Akira ransomware family that emerged in early 2023. It is operated by a financially motivated threat group tracked as TA0040 (CISA) and belongs to the ransomware category, employing double extortion tactics. According to SentinelOne’s May 2024 report, this version introduced a new encryption algorithm switching from AES-128-CTR to ChaCha20, significantly increasing decryption difficulty.

🔧 Technical Capabilities

Akira _v2 propagates via compromised VPN appliances (e.g., Cisco AnyConnect, Palo Alto GlobalProtect) and uses PsExec for lateral movement. Its attack vector often begins with initial access through brute-forced RDP or stolen VPN credentials. The malware establishes C2 communication over HTTPS to hardcoded IPs, frequently hosted on bulletproof providers. Persistence is achieved by creating a scheduled task named “AkiraUpdate” and writing a registry run key under HKLMSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender via PowerShell commands, deleting volume shadow copies with vssadmin, and using a custom User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36” to blend with legitimate traffic. The ransomware also terminates over 200 processes related to databases, backups, and security software.

📜 History & Notable Incidents

The original Akira first appeared in March 2023 (MITRE ATT&CK S1074) and was linked to over 250 victims by late 2023. After law enforcement actions in February 2024 taking down the original leak site, Akira _v2 surfaced in March 2024. Notable victims include the City of Columbus (Ohio) and a major automotive parts manufacturer, with ransom demands ranging from $200,000 to $4 million. CISA and FBI published a joint advisory (AA24-109A) in April 2024 detailing TTPs for this variant.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from VirusTotal). Behavioral signatures include rapid file extension changes to .akira and creation of ransom note akira_readme.txt. Network IOCs comprise C2 domains such as akira[.]onion and IP ranges 45.61.136.0/24. Registry key HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{GUID} and mutex name GlobalAkira are consistent indicators.

☠️ Risk & Impact

Impact includes full encryption of local and network drives, data exfiltration via FileZilla FTP before encryption, and subsequent extortion by publishing stolen data on a Tor leak site. Financial losses per incident average $1.2 million (based on Coveware Q1 2024 data), with heavy targeting of healthcare, manufacturing, education, and critical infrastructure sectors.

🛡️ Mitigation

Recommended defenses include enforcing multi‑factor authentication on VPNs and RDP, patching CVE‑2020‑3259 and CVE‑2021‑27085 (common initial access vectors), deploying EDR solutions with behavioral detection rules for PsExec and vssadmin abuse, and maintaining immutable off‑site backups. CISA recommends using the StopRansomware guide (AA24‑109A) for detection rules and YARA signatures.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.