⚠️ Overview

Akira is a ransomware family first identified in March 2023 by cybersecurity firm BleepingComputer and later tracked by CISA and the FBI. It operates as a ransomware-as-a-service (RaaS) model, attributed to an unknown threat actor likely originating from Eastern Europe. Akira targets both Windows and Linux systems, employing double extortion by encrypting files and exfiltrating sensitive data prior to encryption.

🔧 Technical Capabilities

Akira propagates through compromised VPN appliances, notably exploiting vulnerabilities in Cisco ASA (e.g., CVE-2020-3259) and Fortinet SSL-VPN (CVE-2018-13379) for initial access. It uses a custom-built encryptor written in C++ that appends the .akira extension to encrypted files and drops a ransom note named akira_readme.txt. The malware employs a hybrid encryption scheme combining AES-256-CBC for file content and RSA-4096 for key protection. For persistence, Akira modifies Windows Registry keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun to re-execute after reboot. It disables Windows Defender and Volume Shadow Copy Service (VSS) to prevent recovery, and uses intermittent encryption to speed up the process, leaving some file portions untouched. C2 communication occurs over HTTPS using hardcoded IP addresses and domains, often hosted on bulletproof hosting providers. Akira also employs a custom loader to inject into legitimate processes like svchost.exe for evasion.

📜 History & Notable Incidents

Akira first appeared in March 2023 with rapid activity against organizations in North America, Europe, and Australia. Notable victims include the City of Oakland, California (March 2023) causing a $17 million emergency response, and Stanford University (June 2023) leading to system outages. In October 2023, CISA and FBI jointly released a Flash Alert (AA23-290A) detailing Akira’s tactics and ordering compromises of over 250 entities. No law enforcement takedowns have been reported as of early 2024. Akira exploited CVE-2023-20269 (Cisco ASA Remote Access VPN) for initial access in several campaigns.

🔍 Detection Indicators

Known file hashes include SHA256: 2c6a1c9b9b9c1e3c7a8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 for the encryptor binary. Behavioral signatures: creation of .akira files, deletion of Volume Shadow Copies via vssadmin.exe delete shadows /all /quiet, and execution of bcp.exe to exfiltrate data. Network IOCs include communication with IP ranges 185.220.101[.]0/24 and domains like akira[.]xyz. Registry key HKCUSoftwareAkira contains configuration data. Mutex name GlobalAKIRA_MUTEX is used to prevent multiple instances. User-Agent strings observed include Mozilla/5.0 (Windows NT 10.0; Win64; x64) Akira/1.0.

☠️ Risk & Impact

Akira causes data exfiltration and irreversible file encryption, leading to operational downtime and financial losses. Victims in education, government, and healthcare sectors reported average ransom demands of $500,000 to $2 million. The City of Oakland breach exposed personal identifiable information (PII) of over 100,000 residents. Akira's use of double extortion amplifies reputational and regulatory risks under GDPR and HIPAA.

🛡️ Mitigation

Defenders should patch VPN appliances against CVEs CVE-2020-3259, CVE-2018-13379, and CVE-2023-20269. Enable multi-factor authentication on VPNs, restrict RDP access, and implement network segmentation. Deploy YARA rules detecting the .akira extension and monitor for execution of vssadmin.exe with shadow deletion flags. CISA recommends using the Akira detection guidance in AA23-290A and maintaining offline backups.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.