Introduction
Akira is a new ransomware group that employs a new family of ransomware, also dubbed Akira. The Akira group was first observed in March 2023 and has claimed numerous victims across the globe. Akira victimology varies with victims across a range of regions and industries including education, finance, real estate, manufacturing, and consulting sectors.
The Akira ransomware group operates their own Tor website as a victim shaming site. The website has a very unique look, it uses JavaScript to process user input to retrieve information from the website much like a Linux command window. As of this article’s writing, the website has around 15 companies’ data kept for download as ‘leaks’. In the news section the site also has names of 12+ companies named for upcoming data release ‘leaks’. The Akira website can be seen in the Figure 1 below.
Figure 1. Akira Ransomware dark web site.
The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this ransomware and its encryption behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by execution of this ransomware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries to created additional targeted detections.
Initial Access:
As with many other currently operating ransomware groups, initial access is typically through the use of valid credentials. The use of valid credentials for initial access is increasingly popular and viable due to the growing prevalence of access brokers. Valid credentials are often used to gain access to company network and execute malware / Ransomware. There are instances observed by researchers where attackers have used Multi Factor Authentication bypass and VPN Access with single factor to gain access to victim network prior to execution Akira Ransomware.
Analysis
The malware binary was compiled with Microsoft Visual C/C++ compiler, and it was 64bit executable. The strings analysis showed an interesting string in the binary which is possible path ("Z:\\akira\\asio\\include\\asio\\impl\\co_spawn.hpp") where threat actor might have compiled the executable in his computer. To allow us to build adequate detections for execution of this malware, we performed dynamic analysis of its behavior by analyzing it in a FortiEDR protected environment.
In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Akira ransomware execution. When the malware sample was accessed and executed by Windows Explorer FortiEDR was able to detect the ransomware executable as malicious given it matches a FortiGuard signature and characteristics of the file were identified by Fortinet Cloud Services as having malicious indicators. Given this classification, execution of this ransomware family would be stopped in a normal scenario where the FortiEDR is configured in the ‘Prevention’ mode. We can observe the FortiEDR security event triggered by this malicious detection in Figure 2 below.
Figure 2. Akira ransomware sample initial execution blocked by FortiEDR
The malware sample first tries to execute conhost.exe (from Microsoft) with parameters “0xffffffff” and “-ForceV1”. The “ForceV1” parameter is used to enable Virtual Terminal mode 1. The 0xffffffff part of parameter instructs the system not to make a physical console or window, thus hiding the session ID and child process[1]. The use of conhost.exe and hiding its physical window indicates that this application access console API which can be an indicator of malicious behavior. This can be observed in the Threat Hunting section screenshot in Figure 3 below.
Figure 3. FortiEDR Threat Hunting section showing Akira malware sample executed conhost.exe.
Then the malware executes PowerShell (powershell.exe) with the following parameters:
-Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
This PowerShell command will delete the Windows shadow copy if they exist. This behavior will trigger the ‘Suspicious Application’ rule within FortiEDR’s Ransomware Prevention policy. This can be observed in the FortiEDR user interface screenshot in Figure 4 below.
Figure 4. FortiEDR File Service Access event associated with the Akira ransomware’s attempts to delete volume shadow copies through WMI.
The execution of PowerShell with the specific command can be observed in the Threat Hunting section of the FortiEDR also as shown in Figure 5 below.
Figure 5. PowerShell command execution for Shadow copy deletion by Akira Malware
After deleting the shadow copy in Windows the malware begins to encrypt files on the victim endpoint. The Akira malware binary has reference to at least 176 extensions which it targets for the encryption. Like most of the Ransomwares Akira does not encrypt .exe, .DLL, .msi, .sys files in order to keep victim operating system stable. Like majority of current malware, Akira first overwrites targeted files with encrypted data and then it renames affected files with the ‘.akira’ file extension. This can be observed in the Figure 6 below.
Figure 6. Akira Ransomware writes encrypted data and renames files.
This encryption behavior results in many File Rename events triggered by the ‘File Encryptor’ rule within FortiEDR’s Ransomware Prevention security policy. This encryption activity is blocked by FortiEDR when in ‘Prevention Mode’ preventing the integrity of files on a victim endpoint from being compromised. Screenshot in Figure 7 shows the FortiEDR security event associated with this encryption activity.
Figure 7. File rename activity of Akira Ransomware blocked by FortiEDR
Following encryption of victim files, the main ransomware process drops a ransom note as a text file with the name “akira_readme.txt” in each of the folders it has processed. In addition, the ransomware process also drops a copy of the ransomware note on the desktop of the infected machine. Creation of the ransomware note also triggers the ‘File Encryptor’ rule from the ‘Ransomware Prevention’ policy. In ‘Prevention Mode’ this activity is blocked by the FortiEDR. Associated FortiEDR security events can be observed in the Figure 8 below.
Figure 8. Event showing FortiEDR would block the Ransom note creation
The ransomware note contains standard ransom note text which tells the user that all their data and its backup have been encrypted. It provides the TOR website link for the Akira ransomware leak site and gives a unique ID to log in to the Akira chat service. This chat service can be used by victims to contact and negotiate with Akira. A screenshot of the ransomware note produced as a result of our testing is shown in Figure 9 below.
Figure 9. File rename activity of Akira Ransomware blocked by FortiEDR
Conclusion
As highlighted in this article, FortiEDR effectively detects and mitigates the risk of Akira Ransomware execution and subsequent encryption behavior. In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Akira ransomware execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies. Some threat hunting queries are included below to allow organizations to put additional detections in place to identify some behaviors associated with Akira ransomware execution to assist with triaging potential intrusions. Proactive defenses, like a modern day EDR solution such as FortiEDR, are the best defense against a ransomware threat like Akira.
Threat Hunting
The following threat hunting query will return FortiEDR Process Creation events for a PowerShell process with command line arguments indicative of attempts to delete volume shadow copies via linked WMI objects. This technique and implementation is not unique to Akira but the exact command line arguments are and any implementation of this technique should be investigated if management of volume shadow copies in this way is not part of standard administrative activity.
Type: ("Process Creation") AND Target.Process.File.Name:("powershell.exe") AND Target.Process.CommandLine:("\-Command \"Get\-WmiObject Win32_Shadowcopy | Remove\-WmiObject\"")
The following threat hunting query will return FortiEDR File Create events where a file with the name “akira_readme.txt” is created in any endpoint. This is the filename of the Akira ransom note. If this activity is observed it is likely that the Akira ransomware has executed successfully, this query has been included for completeness and should not be relied on for initial detection.
Type:"File Create" AND Target.File.Name:"akira_readme.txt"
The following threat hunting query will return File Rename events where a file is renamed to include the ‘.akira’ file extension. If this activity is observed it is likely that the Akira ransomware has executed successfully, this query has been included for completeness and should not be relied on for initial detection.
Type:"File Rename" AND Target.File.AdditionalData.TargetPath:("*.akira")
MITRE ATT&CK Mapping
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.001 |
PowerShell |
Malware executes powershell.exe to delete Shadow copy by deleting linked WMI objects (Win32_ShadowCopy). |
TA0007 - Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1083 |
File and Directory Discovery |
Get list of files and folder for encryption process. This listing is performed directly by the ransomware executable. There are 176+ types of extensions that are referenced in the malware for encryption. |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
1) Encrypts user files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed to include ‘.akira’ file extension. |
|
T1490 |
Inhibit System Recovery |
Akira Ransomware deletes the Shadow copies to inhibit system recovery. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
923161f345ed3566707f9f878cc311bc6a0c5268 |
SHA1 Hash |
Installation |
Primary Payload of Akira Ransomware |
2023-04-14 |
|
Malicious Executable |
c4d6c1fd4c1a702a2302cc62bce7d770e5b7369c |
SHA1 Hash |
Installation |
Primary Payload of Akira Ransomware |
2023-05-04 |
