What is Akira?
Akira is a new family of ransomware that was first used in cybercriminal attacks in March 2023.
Akira? Ever heard of it?
You’re probably thinking of the cyberpunk comics and movies that came out in the 1980s. Or you might be thinking something like: Unrelated ransomware with the same name Introduced in 2017.
Maybe that’s all. So what’s the new Akira ransomware scoop?
There are two main reasons why the new Akira ransomware is making headlines. It is the alleged extortionist organization and its interesting data exfiltration site.
Okay, so one at a time. Who is Akira demanding a ransom from?
According to an announcement on Akira’s leaked website on the dark web, the ransomware has already hit various organizations in the financial, real estate and manufacturing sectors, as well as child care centers.
Why would someone try to extort money from a childcare center?
The answer is easy. money. Most criminals behind ransomware attacks have no hesitation about who they ask to pay. In their eyes, it makes no difference whether you run a hospice, a children’s school, a charity, or a large multinational corporation. Of course, we must also recognize that many ransomware attacks do not distinguish between victims. The Toronto nursery school hit by the Akira ransomware wasn’t specifically targeted and may just be an unfortunate victim.
So what do malicious hackers do when they break into a company’s systems?
Cybercriminals steal data from hacked corporate networks before launching Akira ransomware’s encryption routines and sending ransom demands. Then, once convinced that they have stolen enough information from the victim to effectively extort payment, the criminal deploys Akira’s payload.
So is Akira following her usual routine? Encrypt data files?
Yes, but first run a PowerShell command to remove the Windows Shadow Volume Copies from the device. Then, as you can imagine, it starts encrypting various types of data files, appending “.akira” to the end of the file name.according to report To Peep computerfiles with the following extensions are encrypted in the attack:
.abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf, .adn, .adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wal, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx, .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .nsf, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff
So if my company doesn’t have a safe backup to restore these files from, we could be in trouble…
correct. The ransomware drops a ransom note in each folder where it has encrypted files, informing you that negotiations should be started to get your data back.
โIf you do business with us, you will save a lot because we are not interested in ruining you financially. We will thoroughly research your savings, investments, etc. and present you with our reasonable demands: “If you have active cyber insurance, please let us know and we will guide you on the appropriate use.” And prolonging the negotiation process can lead to lost deals.โ
How kind they are!
Hmm. Additionally, the ransom note provides a “security report” at the time of payment, which criminals can use to uncover the weaknesses that caused the catastrophe.
โThe security reports and exclusive first-hand information you receive when an agreement is reached is invaluable because even with a full network audit, we can detect and prevent unauthorized access. migrate to, identify a backup solution, and upload your data.โ
Their generosity knows no bounds. If my company refused to pay the ransom, wouldn’t they be less friendly?
correct.
โWe try to sell personal information/trade secrets/databases/source code, generally speaking, anything of value on the dark market to multiple attackers at the same time. will be published on the blog of
ah. You mentioned that their dark web leak site is unusual. why is that?
Perhaps the ransomware creators thought they couldn’t be too creative with what the ransomware itself looked like (because they didn’t want to draw too much attention to the ransomware itself), so they put a lot of effort into what the ransomware looked like. not. Leak site instead. Akira’s leak site, like its adopted name, seems to be happily living in the 1980s. Accessible via Tor, the site employs a classic green-on-black theme, prompting visitors to enter commands rather than navigating menus.
To be honest, I really like how it looks!
Yeah me too But if it’s my data that they’re demanding a ransom of $200,000 to millions of dollars, I’d probably be less optimistic about it.
Too bad they didn’t stick to the retro style and charged 1980’s prices.
It’s a shame they are committing crimes. Our best advice is to follow the same recommendations we gave on how to protect your organization from other ransomware. They include:
- Create secure offsite backups.
- Run the latest security solutions and make sure your computer is protected against vulnerabilities with the latest security patches.
- Limit the ability of attackers to spread laterally throughout your organization through network segmentation.
- Protect sensitive data and accounts with unique, hard-to-crack passwords and enable multi-factor authentication.
- Encrypt sensitive data whenever possible.
- Reduce your attack surface by disabling features your enterprise doesn’t need.
- Educate and inform staff on the risks and techniques cybercriminals use to launch attacks and steal data.
Editor’s Note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire.
