What is the Akira ransomware, and why has the government issued a warning against it?

What is the Akira ransomware and how does it work? Know how it infects devices and what can you do to protect against ransomware

July 29, 2023 11:12 am | Updated 12:31 pm IST

The Computer Emergency Response Team of India issued an alert for ransomware dubbed “Akira.”

The Computer Emergency Response Team of India issued an alert for ransomware dubbed “Akira.” | Photo Credit: Mustafah KK

The story so far: The Computer Emergency Response Team of India issued an alert for ransomware dubbed “Akira.” The ransomware, found to target both Windows and Linux devices, steals and encrypts data, forcing victims to pay double ransom for decryption and recovery. The group behind the ransomware has already targeted multiple victims, mainly those located in the U.S., and has an active Akira ransomware leak site with information, including their most recent data leaks.

What is the Akira ransomware?

The Akira ransomware is designed to encrypt data, create a ransomware note and delete Windows Shadow Volume copies on affected devices. The ransomware gets its name due to its ability to modify filenames of all encrypted files by appending them with the “.akira” extension. The ransomware is designed to close processes or shut down Windows services that may keep it from encrypting files on the affected system. It uses VPN services, especially when users have not enabled two-factor authentication, to trick users into downloading malicious files.

Once the ransomware infects a device and steals/encrypts sensitive data, the group behind the attack extorts the victims into paying a ransom, threatening to release the data on their dark web blog if their demands are not met.

How does Akira ransomware work?

As mentioned above, the ransomware deletes the Windows Shadow Volume copies on the affected device. These files are instrumental in ensuring that organisations can back up data used in their applications for day-to-day functioning. VSS services facilitate communication between different components without the need to take them offline, thereby ensuring data is backed up while it is also available for other functions. Once the ransomware deletes the VSS files it proceeds to encrypt files with the pre-defined the “.akira” extension.

The ransomware also terminates active Windows services using the Windows Restart Manager API, preventing any interference with the encryption process. It is designed to not encrypt Program Data, Recycle Bin, Boot, System Volume information, and other folders instrumental in system stability. It also avoids modifying Windows system files with extensions like .syn. .msl and .exe.

Once sensitive data is stolen and encrypted, the ransomware leaves behind a note named akira_readme.txt which includes information about the attack and the link to Akira’s leak and negotiation site.

Each victim is given a unique negotiation password to be entered into the threat actor’s Tor site. Unlike other ransomware operations, this negotiation site just includes a chat system that the victim can use to communicate with the ransomware gang, a report from The Bleeping Computer shares.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

How does ransomware infect devices?

Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files. Other methods used to infect devices include drive-by-download, a cyber-attack that unintentionally downloads malicious code onto a device, and specially crafted web links in emails, clicking on which downloads malicious code. The ransomware reportedly also spreads through insecure Remote Desktop connections.

What can users do to protect against Akira attacks?
Maintain up-to-date offline backups
Ensure OS and networks are updated regularly, with virtual patching for legacy systems
Establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation
Strong password policies
Strong Multi-Factor Authentication
Strict external device usage policy
Data-at-rest and data-in-transit encryption
Blocking attachment file types with .exe,.pif, .url, or other such extensions
Avoid clicking on suspicious links to avoid downloads of malicious code
Conduct regular security audits of systems, especially database servers

Who does Akira ransomware target?

In use since March 2023, the ransomware has steadily built up a list of victims, targetting corporate networks in various domains including education, finance, real estate, manufacturing, and consulting. Once it breaches a corporate network, the ransomware spreads laterally to other devices after gaining Windows domain admin credentials. The threat actors also steal sensitive corporate data for leverage in their extortion attempts.

What can users do to protect against ransomware?

CERT-In has advised users to follow basic internet hygiene and protection protocols to ensure their security against ransomware. These include maintaining up to date offline backups of critical data, to prevent data loss in the event of an attack.

Additionally, users are advised to ensure all operating systems and networks are updated regularly, with virtual patching for legacy systems and networks. Companies must also establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation, which prevents spam by detecting email spoofing. Strong password policies and multi-factor authentication (MFA) must be enforced. There should also be a strict external device usage policy in place and data-at-rest and data-in-transit encryption along with blocking attachment file types like .exe, .pif, or .url to avoid downloading malicious code. The agency has also advised periodic security audits of critical networks/systems, especially database servers.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.