HQ/EMEAFind out how we can help your business
The newly discovered Akira ransomware campaign has consistently increased its victims globally. The operation follows a standard ransomware attack, which includes file encryption before demanding ransom.
The new ransomware operation has already executed numerous attacks in about 16 countries. These operations have damaged various sectors, such as academics, real estate, manufacturing, legal, and finance.
The Akira ransomware attack will remove Windows Shadow Volume copies on an infected device by operating a PowerShell command.
After deleting Windows Shadow Volume copies on the infected system, the Akira ransomware operation will encrypt selected files with specific extensions.
However, the encryptor will avoid files within System Volume Information, Program Data, Recycle Bin, Windows folders, and Boot. Moreover, the encryption process will also refrain from encrypting Windows system files that have extensions like [.]dll, [.]exe, [.]msi, [.]sys, and [.]lnk.
The ransomware will also encrypt files and attach the [.]akira extension to every encrypted file’s name.
Furthermore, the ransomware operation leverages the Windows Restart Manager API to close processes or remove Windows services that may keep a file open and obstruct the encryption process.
The device will also display each of the encrypted folders containing a ransom note that includes the details of what happened and links to an Akira data leak and negotiation website.
The ransom notes include a threat from the attackers that they will sell or trade the stolen information on multiple actors if an infected target does not comply with their demands. In addition, they would also publish the encrypted data on their blog.
Each victim has a unique negotiation password for accessing the adversary’s Tor website. Further, the negotiation site only includes a chat system that a victim could use to transact with the ransomware attackers, a unique strategy to other operations.
The Akira ransomware could also breach a corporate network and propagate laterally to other devices like other ransomware. The threat actors could launch the ransomware throughout the network after they acquire Windows domain administrative credentials.
Finally, the attackers will steal corporate data to leverage in their extortion attempts before encrypting files. The Akira ransomware is the newest addition to malicious entities that could infect numerous networks. The group denied the claims that they were part of a previously identified Akira group.
