Threat Coverage: How FortiEDR protects against Megazord ransomware (Akira group)

Introduction

Akira is a ransomware group that began operating in March 2023. We originally wrote an article on Akira ransomware in June 2023[1] outlining how FortiEDR protects against Akira ransomware. Since the release of this article Akira have moved to employ a new version of ransomware called ‘Megazord’. In this article we will demonstrate how FortiEDR detects and mitigates Megazord execution and encryption activity. The deployment of Megazord ransomware aligns with previous Akira TTPs so these will not be discussed in this article, however CISA recently released an advisory[2] outlining these TTPs in greater detail and defenders should refer to this article for guidance on mitigating Akira ransomware intrusions. Megazord is written in Rust[3] which differs from the previous Akira ransomware that was written in C++. Whilst this affects the composition of the ransomware, from FortiEDR’s perspective the ransomware’s encryption behavior is largely unchanged compared to the previous Akira ransomware. Another change to the Akira ransomware that has been implemented in Megazord is the requirement for a ‘buildid’ to be provided at runtime for encryption to occur. This inhibits analysis of the ransomware without knowledge of the corresponding buildid and with a similar feature built into other ransomware families, e.g. BlackCat ransomwares access token[4]. In this case we analyzed the sample included in this article[5]. Alongside analysis of this sample execution are associated FortiEDR threat hunting queries, IOCs and MITRE ATT&CK mappings.

 

Note - In addition to the new Windows variant, Akira also released a Linux variant dubbed ‘Akira v2’ that is also written in rust but has been used to target ESXi servers and Linux VMs. This malware variant will be covered in a later update to the existing Akira article[6].

 

Analysis

Akira have been known to use various execution techniques to execute their ransomware in a widespread nature through a victim network however the method of execution has no impact on the functionality of the executable. To execute the Megazord sample analyzed in this article we executed the sample from a PowerShell process. The use of the PowerShell process allowed us to provide the ‘buildid’ parameter to ensure the encryption process would begin properly. If the correct ‘buildid’ is not provided as part of the command line arguments, this ransomware will not execute.

On execution FortiEDR identifies the ransomware based on file signature and flags the file, and associated process, as malicious. This is triggered by the ‘Malicious File Detected’ rule within the Execution Prevention security policy. In prevention mode this would block the execution and prevent the endpoint files from being encrypted. The related security event can be seen below in Figure 1.

 

Figure 1. FortiEDR security event generated when the known malicious Megazord executable is executed in a FortiEDR protected environment.

 

Encryption preparation

On execution Megazord ransomware performs a number of functions designed to increase the impact of encryption activities. The first of these is to identify and stop any virtual machines running on an endpoint. This is implemented through the ‘Get-VM’ and ‘Stop-VM’ PowerShell cmdlets that are executed through cmd.exe child process spawned directly from the Megazord ransomware process. These cmdlets will identify and then stop any currently running Hyper-V virtual machines[7]. The process chain associated with this activity can be observed through FortiEDR’s Investigation View as shown in Figure 2 below.

 

Figure 2. FortiEDR Investigation View shows the child processes associated with Megazord ransomware process attempts to stop running Hyper-V virtual machines.

 

Following attempts to stop any running Hyper-V virtual machines the Megazord ransomware process attempts to stop services and processes that could impede complete encryption of the victim endpoint. Many services and processes lock key files, such as operational databases, during their execution. Often these files contain data important to organizations maintaining their business functions so it is critical ransomware encrypts them to achieve the intended operational impact. In the case of Megazord we identified at least 30 services and process that are targeted. Many of these services and processes were identified through wildcard queries so the number of potentially targeted processes and services may be much larger than 30. These services and processes are outlined in Table 1 and Table 2 respectively below including a short description of the processes/services and their likely function.

 

Service Name	Description
MSSQL$ISARS	Microsoft SQL Server instance related to operation of the Microsoft Forefront TMG control service.
MSSQL$MSFW	Microsoft SQL Server instance related to operation of the Microsoft Forefront TMG control service.
SQLAgent$ISARS	SQL Server Agent service related to operation of the Microsoft Forefront TMG control service.
SQLAgent$MSFW	SQL Server Agent service related to operation of the Microsoft Forefront TMG control service.
SQLBrowser	SQL Server Browser service that provides information about SQL Server instances installed on the computer.
ReportServer$ISARS	SQL Server Reporting Services instance related to operation of the Microsoft Forefront TMG control service.
SQLWriter	SQL Writer Service that provides the functionality for backup and restore of SQL Server databases.
WinDefend	Windows Defender Service.
MSExchangeADTopology	Microsoft Exchange Active Directory Topology service used to maintain information about Exchange servers and Active Directory.
MSExchangeFB	Microsoft Exchange Information Store service used to manage mailbox databases.
MSExchangeIS	Microsoft Exchange Information Store service used to manage mailbox databases.
MSExchangeSA	Microsoft Exchange System Attendant service that provides various functions for Exchange server operation.
ShadowProtectSvc	Service associated with ShadowProtect a backup and disaster recovery software solution.
SPAdminV4	SharePoint Administration service that handles administrative tasks in SharePoint.
SPTimerV4	SharePoint Timer service that manages timer jobs in SharePoint.
SPTraceV4	SharePoint Trace service that enables diagnostic logging for SharePoint.
SPUserCodeV4	SharePoint User Code service that allows execution of user-generated code in SharePoint.
SPWriterV4	SharePoint VSS Writer service that enables backup and restore of SharePoint data using Volume Shadow Copy Service.
SPSearch4	SharePoint Search service that handles search functionality in SharePoint.
MSSQLServerADHelper100	Microsoft SQL Server Active Directory Helper service that assists SQL Server in interacting with Active Directory.
QBCF Monitor Service	QuickBooks Company File Monitor service that monitors QuickBooks company files for changes.
QBVSS QBPOS DB Service	QuickBooks Volume Shadow Copy Service for QuickBooks Point of Sale database that enables backup and restore using Volume Shadow Copy Service.
QuickBooksDB1	QuickBooks Database service that manages a QuickBooks database.

Table 1. Services stopped by Megazord ransomware prior to encryption.

 

Process Name/Search String	Description
veeam	Veeam Backup & Replication process (handles backup and replication tasks for virtualized environments).
chrome	Google Chrome browser process.
iexplore	Internet Explorer browser process.
firefox	Mozilla Firefox browser process.
outlook	Microsoft Outlook process.
excel	Microsoft Excel process.
taskmgr	Windows Task Manager process used to monitor system performance and manages running applications/processes.
tasklist	Command-line tool to list running processes on Windows systems.
Ntrtscan	Norton Antivirus process which forms part of Norton Antivirus software, scans for viruses and malware.
ds_monitor	The Directory Sync Monitor process monitors directory synchronization processes, commonly used in IT environments.
Notifier	This is included with a wildcard and is likely included as a ‘catch all’ for all processes that could send notifications or alerts.
putty	PuTTY is a SSH and telnet client for remote connections.
ssh	Secure Shell (SSH) process used for secure remote access to systems.
TmListen	Trend Micro Listener service process which forms part of Trend Micro antivirus software.
iVPAgent	McAfee ePolicy Orchestrator process which is the agent for McAfee security software.
CNTAoSMgr	Cisco AnyConnect Secure Mobility Manager process used to manage secure remote connections.
IBM	This is included with a wildcard and is a generic term that could refer to various IBM software components or services.
bes10	Potentially a reference to the BlackBerry Enterprise Service 10 process used to manage BlackBerry devices and services.
Black Robo Copy	This process name is unknown. Potentially this could have been a test process that was not removed from the list.
store.exe	Microsoft Exchange Information Store process used to manage mailbox databases in Exchange Server.
SQL	Generic term for processes related to SQL and could refer to SQL Server, MySQL, etc.
vee	This is included with a wildcard and is potentially used to terminate any auxiliary processes associated with Veeam, which is backup software. Anomalous as veeam is already included in an early lookup.
wrsa	Webroot SecureAnywhere process which is part of Webroot antivirus software.
PostgreSQL	PostgreSQL database server process which handles database operations in PostgreSQL.
Sage	Potentially targeting any applications from the company ‘Sage Group’ that includes processes such as ‘Sage 50’ which is accounting software.

Table 2. Processes stopped by Megazord ransomware prior to encryption.

 

Each of these services and processes is stopped through a separate child process. In the case of services, they are stopped through the use of the ‘net.exe’ binary, and in the case of the processes they are killed using the ‘taskkill.exe’ binary, both binaries executed through a child cmd.exe process. The process creation events are captured in FortiEDR telemetry and can be analyzed in the ‘Investigation View’ depicted in Figure 3 below or through the FortiEDR threat hunting interface as shown in Figure 4.

 

Figure 3. FortiEDR Investigation View showing a number of the child processes from the Megazord ransomware process (megazord.exe) used to kill malicious services and processes.

 

Figure 4. FortiEDR Threat Hunting data showing the process creation events associated with the Megazord ransomware processes attempts to kill services and process.

 

As the ransomware process has already been tagged as malicious, this pre-execution behavior is detected and blocked by FortiEDR as a ‘Service Access’ security event. An example of the generated security event is show below in Figure 5.

 

Figure 5. FortiEDR security event associated with Megazord closing services and killing processes that could lock important files and inhibit complete encryption.

 

Encryption Activity

Following these pre-encryption activities, the ransomware process begins encrypting files on the victim endpoint. This encryption activity triggers the ‘File Encryptor’ rule from FortiEDR’s Ransomware Prevention security policy, blocking the encryption process. An example of a security event related to this encryption detection is shown below in Figure 6.

 

Figure 6. FortiEDR identifies encryption behavior which triggers the ‘File Encryptor’ rule and blocks files from being encrypted.

 

Megazord uses the overwrite method of file encryption. In this method each target file is renamed with the ransomware’s file extension, in this case ‘powerranges’, and then the contents of each target file is overwritten with encrypted content. This method is the most common method of encryption we have seen in recent ransomware families and variants including the original Akira ransomware, BlackByte ransomware, Black Basta ransomware and Play ransomware. The rename activity associated with this encryption can be observed through threat hunting telemetry as shown in Figure 7 below.

 

Figure 7. FortiEDR Threat Hunting File Rename events associated with the thousands of target files being renamed following encryption by the Megazord ransomware.

 

Throughout the encryption process the ransomware process also writes a ransom note named ‘powerranges.txt’ to each folder where it encrypts a file. This behavior is detected and blocked by FortiEDR due to the ransomware process already being flagged by the previous File Encryptor rule. This prevents the creation of these ransom notes and generates a security event like the one shown below in Figure 8.

 

Figure 8. FortiEDR security event related to the creation of ransom notes following encryption of victim files by Megazord ransomware.

 

 

Conclusion

As demonstrated in this article, FortiEDR effectively detects and mitigates the execution of and behavior associated with Megazord ransomware. As highlighted above, these detections are largely behavior based so are expected to protect against future variants of this ransomware family as well. Given FortiEDR’s protections against pre-ransomware TTPs, it provides a robust solution to protect endpoints against the threat of ransomware intrusions as a whole regardless of the minor deviations in intrusion TTPs between victims we expect from various ransomware affiliates. Included below are threat hunting queries that organizations can use to proactively identify potential Megazord ransomware behaviors, IOCs associated with previous Megazord intrusions and MITRE ATT&CK mappings for techniques implemented through Megazord ransomware. It should be noted that ransomware intrusions are typically instigated by affiliates or groups who perform these types of intrusions at scale. Given the volume of operations performed by these groups there are significant TTP overlaps between intrusions. Organizations looking to mitigate ransomware intrusions should focus their detection efforts on mitigating these shared TTPs rather than looking to verify protections against specific ransomware variants. Detection of ransomware like Megazord within an environment should be considered a last resort and indicates failures in multiple security layers.

 

Threat Hunting

The following threat hunting queries can be used to identify potential activity associated with the successful execution of the Megazord ransomware sample analyzed in this article. It should be noted that the execution of this ransomware occurs at the end of a larger intrusion and organizations should not focus their detection efforts on these queries first as detection earlier in the intrusion is both easier and more likely to support successful isolation and minimize business impact associated with an Akira intrusion. These queries have still been included to provide inspiration for other queries and for completeness.

 

The following Threat Hunting query will return Process Creation events that have command line arguments indicative of the use of PowerShell ‘Get-VM’ and ‘Stop-VM’ cmdlets as implemented in the Megazord ransomware analyzed in this article. Whilst these commands could be obfuscated, in current samples these are hardcoded within the main executable. False positives may occur where these cmdlets are used legitimately for administration functions but detection should be investigated.

 

Type:"Process Creation" AND Target.Process.CommandLine:"Get-VM | Stop-VM -Force"

 

 

The following Threat Hunting query will return Process Creation events that have command line arguments indicative of the use of the taskkill command to kill key processes as implemented in the Megazord ransomware analyzed in this article. This is only one of the many commands executed by the ransomware for encryption preparation but detection of this event may warrant further investigation. False positives may occur where these cmdlets are used legitimately for administration functions but detection should be investigated.

 

Type:"Process Creation" AND Target.Process.CommandLine:"/C cmd.exe /c taskkill /f /im wrsa*"

 

 

The following Threat Hunting query will return Process Creation events that have command line arguments indicative of the use of the net command to kill the Windows Defender service as implemented in the Megazord ransomware analyzed in this article. This is only one of the many commands executed by the ransomware for encryption preparation but detection of this event may warrant further investigation. It is not best practice to manage the Windows Defender service through the use of the net command so whilst all events matching this query may not be Megazord, they should be investigated as suspicious.

 

Type:"Process Creation" AND Target.Process.CommandLine:"/C cmd.exe /c net stop WinDefend"

 

 

The following Threat Hunting query will return File Create event related to the creation of files with filename matching the ransom note from the Megazord ransomware sample analyzed in this article. False positives are not expected for this query.

 

Type:"File Create" AND Target.File.Name:"powerranges.txt"

 

 

MITRE ATT&CK Mapping

TA0002 - Execution

Technique ID	Technique Description	Observed Activity
T1059.001	Command and Scripting Interpreter: PowerShell	Megazord ransomware uses the ‘Get-VM’ and the ‘Stop-VM’ PowerShell cmdlets to identify and stop running Hyper-V virtual machines prior to encryption.
T1059.003	Command and Scripting Interpreter: Windows Command Shell	Megazord ransomware creates several child cmd.exe processes to support pre-encryption activities including stopping services through the use of the net.exe binary and stopping processes through the use of the taskkill.exe binary.

 

TA0005 – Defense Evasion

Technique ID	Technique Description	Observed Activity
T1562.001	Impair Defenses: Disable or Modify Tools	Megazord ransomware kills a number of services and processes as part of its encryption preparation. A number of these are associated with the operation of defensive tools including Windows Defender, Norton Antivirus, McAfee Antivirus and Trend Micro Antivirus.

TA0007 - Discovery

Technique ID	Technique Description	Observed Activity
T1083	File and Directory Discovery	Get list of files and folder for encryption process. This listing is performed directly by the ransomware executable .

 

TA0040 - Impact

Technique ID	Technique Description	Observed Activity
T1486	Data Encrypted for Impact	1) Encrypts user files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed to include ‘.powerranges’ file extension. 2) Writes a ransomware note to multiple folders with the title ‘powerranges.txt’.
T1489	Service Stop	Megazord ransomware stops multiple services (see Table 1) to ensure encryption has the largest impact. Encryption will also prevent affected services/databases from being used effectively.

 

 

IOCs

Indicator Description	Indicator	Indicator Type	Associated Tactic	Notes	First Observed
Malicious Executable	a420fbd6cb9d10db807251564c1c9e1718c6fbc5	SHA1 Hash	Actions on Objectives	Megazord Ransomware (Analyzed in this article)	2023-08-26
	9df999f142f137b0794b8afcaaedc588	MD5 Hash
Malicious Executable	f8425e27fb5340b4d50bdee1800dcc428a7d388f	SHA1 Hash	Actions on Objectives	Megazord Ransomware	2023-08-31
	74d5d4e9a556a6170f19893e7ffdeffa	MD5 Hash

 

 

 

 

 

[1] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Akira-Ranso...

[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[3] https://www.rust-lang.org/

[4] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-BlackCat-AL...

[5] https://it.rising.com.cn/fanglesuo/20045.html

[6] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Akira-Ranso...

[7] https://learn.microsoft.com/en-us/powershell/module/hyper-v/get-vm?view=windowsserver2022-ps