Jump to content

Akira (ransomware)

From Wikipedia, the free encyclopedia

Akira (ransomware) is a malware which emerged in March 2023.[1] It targeted over 250 entities including: US energy firm BHI Energy,[2] Nissan Australia,[3][4] the Finnish IT services provider Tietoevry,[5][6][7][8] and Stanford University.[9][10] The group has also claimed responsibility for a ransomware attack on the Toronto Zoo, though the zoo has not linked the incident to any particular threat actor.[11] Akira is offered as ransomware-as-a-service. [12]

Akira is estimated to have earned up to $42 million from its inception in March 2023, until April 2024.[13]

Methods

[edit]

Akira primarily targets Cisco VPN products as an attack vector to breach networks, especially those without multi-factor authentication enabled.[14][15] The group uses publicly available or natively installed tools and techniques for lateral movement. There are both Windows and Linux variants of Akira ransomware.

Akira uses double-extortion ransomware techniques, in which data is exfiltrated from the environment before it is encrypted with threats to publish this data if a ransom is not paid.[16]

Akira v2

[edit]

Akira v2 is written in Rust and is designed to locate files based on specific parameters, tailoring encryption to more specific file types.[17] These file types are often associated with database project files, optical media, Exchange mailbox databases, virtual hard disks, and other file types associated with virtualization and virtual machines.

Key Generation

[edit]

Akira used CryptGenRandom to generate a symmetric key, which itself was then encrypted by the combination of a ChaCha20 stream cipher and an RSA-4096 public key, which was appended to the end of encrypted files.[1] The threat actors possessed the private key, preventing decryption without paying a ransom.

Akira ransomware has both a Windows and Linux version, though the Windows version uses the Windows CryptoAPI library while the Linux variant uses the Crypto++ library to encrypt devices when the ransomware is deployed.

Decryptor

[edit]

In June 2023, Avast released a decryptor for the Akira ransomware, likely exploiting the partial file encryption approach used at the time to crack the encryption without obtaining any keys.[18] The decryptor does not work natively on Linux systems, and if needed it is recommended to use a WINE layer to run the decryptor on a Linux machine.

In April 2025, There's one more public decryptor available for Akira ransomware uses multiple GPUs to perform bruteforce attack on ransomware and cracks private keys of the ransomware. It is only available for Linux variant of Akira Ransomware so far. The tool was developed by Yohanes and available on Github as well as Akira Decryptor with usage guide.[19][20][21]

References

[edit]
  1. ^ a b "#StopRansomware: Akira Ransomware | CISA". www.cisa.gov. April 18, 2024.
  2. ^ "BHI-notice". www.documentcloud.org. Retrieved 2025-03-08.
  3. ^ Paganini, Pierluigi (December 22, 2023). "Akira ransomware gang claims the theft of sensitive data from Nissan Australia". Security Affairs.
  4. ^ "Nissan Australia cyberattack claimed by Akira ransomware gang". BleepingComputer. Retrieved 2025-03-08.
  5. ^ Paganini, Pierluigi (January 24, 2024). "Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations". Security Affairs.
  6. ^ "Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected". therecord.media.
  7. ^ Tietoevry.com. "Restoration work progressing at Tietoevry". www.tietoevry.com. Retrieved 2025-03-08.
  8. ^ Tietoevry.com. "UPDATE: Ransomware attack in Swedish data center". www.tietoevry.com. Retrieved 2025-03-08.
  9. ^ Staff, S. C. (January 22, 2024). "Akira ransomware group's changing tactics: What you need to know". SC Media.
  10. ^ "Stanford says data from 27,000 people leaked in September ransomware attack". therecord.media.
  11. ^ "Toronto Zoo shares update on last year's ransomware attack". BleepingComputer. Retrieved 2025-03-08.
  12. ^ "Akira ransomware compromised at least 63 victims since March, report says". therecord.media.
  13. ^ Paganini, Pierluigi (April 21, 2024). "Akira ransomware received $42M in ransom payments from over 250 victims". Security Affairs.
  14. ^ Sead Fadilpašić (October 14, 2024). "Veeam vulnerability exploited to deploy malware via compromised VPN credentials". TechRadar.
  15. ^ "#StopRansomware: Akira Ransomware | CISA". www.cisa.gov. 2024-04-18. Retrieved 2025-03-08.
  16. ^ "Akira, GOLD SAHARA, PUNK SPIDER, Group G1024 | MITRE ATT&CK®". attack.mitre.org. Retrieved 2025-03-08.
  17. ^ Brown, Jade. "Akira Ransomware: A Shifting Force in the RaaS Domain". Bitdefender Blog. Retrieved 2025-03-08.
  18. ^ Team, Threat Research (2023-06-29). "Decrypted: Akira Ransomware". Avast Threat Labs. Retrieved 2025-03-07.
  19. ^ "Akira Decryptor". Akira Recovery & Decryption. Retrieved 2025-05-11.
  20. ^ "New Akira ransomware decryptor cracks encryptions keys using GPUs". BleepingComputer. Retrieved 2025-05-11.
  21. ^ CONSTANTINESCU, Vlad. "Researcher Releases GPU-Powered Akira Ransomware Decryption Tool". Hot for Security. Retrieved 2025-05-11.

See also

[edit]


Stub icon

This article about a criminal organization is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Akira_(ransomware)&oldid=1290204718"