On April 6, 2023, the Sophos Incident Response team was engaged to support a ransomware victim organization in North America. The following week on April 12, 2023, yet another North American organization contacted Sophos for assistance.
While the incidents appeared to be the work of two different criminal actors, both deployed a recently emerged ransomware called Akira. In both cases, the affected organizations had files encrypted with the “.akira” extensions and had nearly identical ransom note files, named fn.txt, dropped in the process (as shown below in Figure 1].
Figure 1: “fn.txt” ransomware notice
This Akira ransomware bears no code similarity to a previous ransomware strain with the same name that was active in 2017 and is likely unrelated. The new jQuery-based leak site (Figure 2), with its retro green colors, has garnered most of the attention, as it accepts commands instead of listing out information.
This slideshow requires JavaScript.
However, cool as their leak site design may be, this matters none to victims of this ransomware, which regrettably includes a daycare service in Canada. While the total number of victim organizations (Figure 3) are still relatively small in comparison to Lockbit or BlackCat/APLHV, that is how all new ransomware families begin.
Figure 3: Timeline analysis of Akira victims
In this blog post, we will compare two separate incident attack flows, illustrating how different threat actors are deploying Akira ransomware. Please note that available data on the second incident is limited, but we are highlighting deviations between the two incidents. This information will provide organizations with detailed guidance on what they need to defend against to protect their businesses.
Attack Flow Details
Initial Access
Incident #1
A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass.
[T1078 – Valid Accounts] [T1133 – External Remote Service]
External IP access from the threat actor was routed through European TOR VPN exit nodes.
Incident #2
VPN access using Single Factor authentication.
[T1078 – Valid Accounts] [T1133 – External Remote Service]
Guidance
Replacing password-only authentication with MFA remains one of the highest return-on-investment (ROI) security controls, however special attention must be given to auditing for any accounts with bypass exceptions. Also, its recommended that organizations block any inbound traffic from TOR networks where perimeter controls are available.
Credential Access
Incident #1
Minidump of LSASS process memory leveraging comsvcs.dll with proxy execution by rundll32.exe.
[T1003.001 – OS Credential Dumping: LSASS Memory] [T1569 – System Services]
Service Name: TcwvBcuf
Action: %COMSPEC% /Q /c cmD.Exe /Q /c for /f “”tokens=1,2 delims= “” ^%A in (‘””tasklist /fi “”Imagename eq lsass.exe”” endswith:
– ‘cmd.exe’
– ‘powershell.exe’
CommandLine