CERT-In cautions Internet users against Ransomware 'Akira' attack

July 23, 2023 11:16 pm | Updated 11:16 pm IST - New Delhi

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.  REUTERS/Kacper Pempel/Illustration/File Photo/File Photo

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo/File Photo | Photo Credit: KACPER PEMPEL

An Internet ransomware virus 'Akira' that steals vital personal information and encrypts data leading to extortion of money from people has been reported in cyberspace, the country's federal cyber security agency has said in the latest advisory.

This computer malware is targeting Windows and Linux-based systems, it said.

“A recently emerged ransomware operation dubbed Akira is reportedly active in cyberspace. This group first steals the information from victims, then encrypt data on their systems and conducts double extortion to force the victim into paying the ransom.”

"In case the victim does not pay, they release their victim's data on their dark web blog," the Indian Computer Emergency Response Team (CERT-In) said in a latest advisory to Internet users.

The agency is the central technology arm to combat cyber attacks and guards cyberspace against phishing and hacking assaults and similar online attacks.

It said the ransomware group is "known to access victim environments via VPN [virtual private network] services, particularly where users have not enabled multi-factor authentication." Ransomware is a computer malware that infects and blocks users from using their own data and system and they can get it back against a pay-off.

This ransomware group has also utilised tools such as AnyDesk, WinRAR, and PCHunter during intrusions, it said, adding these tools are often found in the victim's environment, and their misuse typically goes unnoticed.

Describing the technical intrusion of the virus, the advisory said 'Akira' deletes the Windows Shadow Volume Copies on the targeted device. The ransomware subsequently encrypts files with a predefined set of extensions and a '.akira' extension is appended to each encrypted file's name during this encryption process, it said.

In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager API. This step prevents any interference with the encryption process, the advisory stated. The ransomware encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. The CERT-In also advised Internet users to use basic online hygiene and protection protocols to keep safe from such virus attacks in the online space.

Ransomware infections primarily keep data hostage, hence, it is recommended to maintain offline backups of critical data and ensure that these backups stay up-to-date to prevent data loss in the event of infection, it suggested.

Also, the advisory recommended that operating systems and applications be kept updated regularly and that "virtual patching" can be considered for protecting legacy systems and networks. This measure hinders cyber criminals from gaining easy access to any system through vulnerabilities in outdated applications and software, it said.

Users should also enforce strong password policies and multi-factor authentication (MFA) and void applying updates/patches available in any unofficial channel among other such measures to counter cyber and ransomware attacks, it said.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.