Ransomware in focus: Akira

While the world grapples with the potential impact of generative AI on security practices (both positive implications and negative ones), let’s not forget one old adversary that continues to develop in sophistication: ransomware.

Over the last couple of weeks we’ve seen cybersecurity professionals and government organisations issue warnings about a new family of ransomware, called Akira.

The Hindustan Times reported that the Indian Computer Emergency Response Team (CERT-IN) has urged internet users to be on the lookout for Akira, because it’s “causing significant concern.” CERT-IN has found that Akira threat actors have used tools including AnyDesk, WinRAR, and PCHunter, with a focus on exploiting VPN services when a user hasn’t implemented multi-factor authentication.

Important note: a different ransomware, also called Akira, was around in 2017. The new Akira isn’t related.

How is Akira getting in?

Akira ransomware can access user devices through malicious email attachments or links, peer-to-peer networks, pirated software websites, file hosting sites, and third-party downloads; and fake software updates that are downloaded and executed by unknowing users.

The ransomware was first used in March 2023, and has since claimed successful attacks on organisations in education, real estate, finance, and other industries. It uses a Windows random number generator called CryptGenRandom() to generate a symmetric encryption key – then files are encrypted by ChaCha 2008.

The Akira ransom note – which they drop into every folder that they steal data from – has been shared widely online. It reads:

"Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data."

Helpful customer service, right? But these cybercriminals will turn on the victim in a heartbeat if they don’t comply and pay the ransom in a timely manner.

What makes it different?

Akira uses double extortion to coerce victims into paying a ransom – their sensitive data is encrypted after it’s stolen, and then the cybercriminals threaten to release it on the dark web if the ransom isn’t paid. The implications of this vary from victim to victim, but they could incur further financial penalties (for example, if they’re hit with a regulatory penalty for the data breach) as well as causing serious damage to reputations.

Amit Jaju (Senior Managing Director at Ankura Consulting Group, India) told the Deccan Herald:

"...the Akira ransomware attack is a stark reminder of the escalating threat landscape in cybersecurity. It's not just about data theft anymore; ransomware attacks like these are a form of digital hostage-taking, where critical data is held for ransom, disrupting businesses and even governments.”

In a blog post for Tripwire, Black Hat MEA speaker Graham Cluley (Security Analyst and Podcast Host, Smashing Security) noted that Akira also has an unusual leak site on the dark web. “Maybe it was the case that the ransomware authors felt they couldn't be very creative in the visual appearance of their ransomware itself (as they wouldn't want it to draw too much attention to itself),” he wrote, “and so they put their effort into their leak site instead.”

The site’s green-on-black aesthetic is an homage to 80s web design – and visitors are asked to type in commands, instead of using a menu to navigate.

How can organisations mitigate the risk of Akira?

In his blog post, Cluley advised that organisations follow the standard advice for protecting against all families of ransomware.

That advice includes making secure offsite backups and keeping them updated; ensuring that tooling and security patching is up-to-date; segmenting your networks to stop attackers from being able to waltz into any area of your network that they want to, once they’re in; and using effective passwords and multi-factor authentication.

Crucially, inform everyone involved in your organisation about what ransomware is, what it does, and how it gets in – so they can be alert for malicious files.