A new ransomware operation brought in to limelight by the researchers called Akira and targets businesses worldwide, breaching corporate networks, stealing, and encrypting data.
Threat actors have over dozens of organizations in their portfolio as victims from areas like finance, manufacturing, real estate, education, and consultancy. Among the recently claimed attacks includes the Bluefield, the Bridge Valley Community and Technical College, Mitchell Partnership Inc., Garcia Hamilton & Associates, and New World Travel, Inc.
Mode of Operation
Upon execution, the malware deletes Windows Shadow Volume Copies from the machine. It achieves this by a PowerShell command: powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”
The encryption process will bypass files from Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. The same rule applies to Windows system files with extensions like .exe, .lnk, .dll, .msi, and .sys. The encrypted files will have the .akira extension added to the file’s name.
Akira also employs the Windows Restart Manager API to terminate any processes or services that might keep a file open and prevent encryption. Once after the reconnaissance and intrusion into the network, Akira will move laterally, and spread to other devices. The goal is to gain Windows domain admin credentials so it can deploy the ransomware and infect the network.
The encrypted folders include the ransomware note called “named akira_readme.txt“. The note offers information about what happened to the files and links to the data leak site and negotiation site.
Each target receives a customized password for the negotiation site. It only consists of a chat system used by victims to communicate with the threat actors. The leak site is also noticeable through its vintage look that enables visitors to navigate by typing in commands.
Akira will not only encrypt your data, but it will also steal important corporate information to use in the extortion. If the victims refuse to pay the ransom, their data will be made public through its extortion site.
Until now, Akira operators published the data from four firms. That means data leaks between 5.9 GB and 259 GB. The ransom demanded varied from $200,000 to millions of dollars. They negotiate the ransom with companies who want to stop data leaking, without the decryption key.
Source : Bleeping Computer