The Akira ransomware-as-a-service (RaaS) group is now employing a sophisticated Linux variant to take advantage of specific vulnerabilities and weaknesses in the Linux architecture, most likely for credential theft and phishing campaigns.

The group initially deployed a Windows variant, and researchers now have a decrypter for the Windows strain. The Linux variant appears to have connections to the Conti ransomware strain, according to K7 Security Labs.

Akira sells its services to other threat actors on a Tor site.

Impact

The Akira group publicly discloses stolen data on its website if victims don’t comply with ransom demands. The website also offers a chat feature for communication between victims and perpetrators, using a unique ID provided within the ransom note. The group creates unique public RSA keys and IDs for every organization it attacks and then uses these identifiers to find the appropriate decryption keys when the organization meets the ransom demands.

DXC perspective

A secure infrastructure and robust cyber defense program can help guard against ransomware attacks of all kinds. We also offer these specific recommendations:

  • Monitor your network and endpoints for dropper malware, C2 traffic and abnormal user login attempts.
  • Avoid hosting email accounts and user web-based email traffic on network servers.
  • Implement practices to prevent phishing attempts to harvest user credentials.

Note: Cisco security controls may not detect intrusions if the threat actor uses valid credentials.

If you fall victim to Akira or other ransomware, we advise you to:

  • Immediately disconnect infected devices from the network to prevent further spread.
  • Disconnect any external storage devices to prevent data loss or encryption.
  • Thoroughly inspect system logs for any suspicious events or anomalies that may help identify the attack vector and aid in incident response.

Threat hunting tips

IOCs

MD5: 302f76897e4e5c8c98a52a38c4c98443

SHA1: 9180ea8ba0cdfe0a769089977ed8396a68761b40

SHA256: 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

177ACD248FC715A8B5E443BE38D3B204  Trojan ( 035562be1 )

302f76897e4e5c8c98a52a38c4c98443                         Trojan ( 035562be1 )

MITRE ATT&CK Techniques

Execution: T1204: User Execution

Discovery:

T1082: System Information Discovery

T1083: File and Directory Discovery

Impact:

T1486: Data encrypted for impact

T1490: Inhibit system recovery