Akira (ransomware)
{{Short description|Type of ransomware}}
Akira (ransomware) is a malware which emerged in March 2023.{{Cite web|url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a|title=#StopRansomware: Akira Ransomware | CISA|date=April 18, 2024|website=www.cisa.gov}} It targeted over 250 entities including: US energy firm BHI Energy,{{Cite web |title=BHI-notice |url=https://www.documentcloud.org/documents/24075435-bhi-notice/ |access-date=2025-03-08 |website=www.documentcloud.org |language=en}} Nissan Australia,{{Cite web |last=Paganini |first=Pierluigi |date=December 22, 2023 |title=Akira ransomware gang claims the theft of sensitive data from Nissan Australia |url=https://securityaffairs.com/156283/cyber-crime/akira-ransomware-breached-nissan-australia.html |website=Security Affairs}}{{Cite web |title=Nissan Australia cyberattack claimed by Akira ransomware gang |url=https://www.bleepingcomputer.com/news/security/nissan-australia-cyberattack-claimed-by-akira-ransomware-gang/ |access-date=2025-03-08 |website=BleepingComputer |language=en-us}} the Finnish IT services provider Tietoevry,{{Cite web |last=Paganini |first=Pierluigi |date=January 24, 2024 |title=Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations |url=https://securityaffairs.com/158031/cyber-crime/tietoevry-akira-ransomware-attack.html |website=Security Affairs}}{{Cite web |title=Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected |url=https://therecord.media/tietoevry-ransomware-attack-sweden-cloud-services-datacenter |website=therecord.media}}{{Cite web |last=Tietoevry.com |title=Restoration work progressing at Tietoevry |url=https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2024/01/update-on-ransomware-attack-in-sweden-restoration-work-progressing-at-tietoevry/ |access-date=2025-03-08 |website=www.tietoevry.com |language=en}}{{Cite web |last=Tietoevry.com |title=UPDATE: Ransomware attack in Swedish data center |url=https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2024/01/ransomware-attack-in-sweden-update/ |access-date=2025-03-08 |website=www.tietoevry.com |language=en}} and Stanford University.{{Cite web|url=https://www.scworld.com/resource/akira-ransomware-groups-changing-tactics-what-you-need-to-know|title=Akira ransomware group's changing tactics: What you need to know|first=S. C.|last=Staff|date=January 22, 2024|website=SC Media}}{{Cite web|url=https://therecord.media/stanford-data-leaked-Akira-ransomware-attack|title=Stanford says data from 27,000 people leaked in September ransomware attack|website=therecord.media}} The group has also claimed responsibility for a ransomware attack on the Toronto Zoo, though the zoo has not linked the incident to any particular threat actor.{{Cite web |title=Toronto Zoo shares update on last year's ransomware attack |url=https://www.bleepingcomputer.com/news/security/toronto-zoo-shares-update-on-last-years-ransomware-attack/ |access-date=2025-03-08 |website=BleepingComputer |language=en-us}} Akira is offered as ransomware-as-a-service.
Akira is estimated to have earned up to $42 million from its inception in March 2023, until April 2024.{{Cite web |last=Paganini |first=Pierluigi |date=April 21, 2024 |title=Akira ransomware received $42M in ransom payments from over 250 victims |url=https://securityaffairs.com/162098/cyber-crime/akira-ransomware-report-fbi.html |website=Security Affairs}}
Methods
Akira primarily targets Cisco VPN products as an attack vector to breach networks, especially those without multi-factor authentication enabled.{{Cite web |author1=Sead Fadilpašić |date=October 14, 2024 |title=Veeam vulnerability exploited to deploy malware via compromised VPN credentials |url=https://www.techradar.com/pro/security/veeam-vulnerability-exploited-to-deploy-malware-via-compromised-vpn-credentials |website=TechRadar}}{{Cite web |date=2024-04-18 |title=#StopRansomware: Akira Ransomware {{!}} CISA |url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a |access-date=2025-03-08 |website=www.cisa.gov |language=en}} The group uses publicly available or natively installed tools and techniques for lateral movement. There are both Windows and Linux variants of Akira ransomware.
Akira uses double-extortion ransomware techniques, in which data is exfiltrated from the environment before it is encrypted with threats to publish this data if a ransom is not paid.{{Cite web |title=Akira, GOLD SAHARA, PUNK SPIDER, Group G1024 {{!}} MITRE ATT&CK® |url=https://attack.mitre.org/groups/G1024/ |access-date=2025-03-08 |website=attack.mitre.org}}
= Akira v2 =
Akira v2 is written in Rust and is designed to locate files based on specific parameters, tailoring encryption to more specific file types.{{Cite web |last=Brown |first=Jade |title=Akira Ransomware: A Shifting Force in the RaaS Domain |url=https://www.bitdefender.com/en-us/blog/businessinsights/akira-ransomware-a-shifting-force-in-the-raas-domain |access-date=2025-03-08 |website=Bitdefender Blog |language=en-us}} These file types are often associated with database project files, optical media, Exchange mailbox databases, virtual hard disks, and other file types associated with virtualization and virtual machines.
= Key Generation =
Akira used CryptGenRandom to generate a symmetric key, which itself was then encrypted by the combination of a ChaCha20 stream cipher and an RSA-4096 public key, which was appended to the end of encrypted files. The threat actors possessed the private key, preventing decryption without paying a ransom.
Akira ransomware has both a Windows and Linux version, though the Windows version uses the Windows CryptoAPI library while the Linux variant uses the Crypto++ library to encrypt devices when the ransomware is deployed.
Decryptor
In June 2023, Avast released a decryptor for the Akira ransomware, likely exploiting the partial file encryption approach used at the time to crack the encryption without obtaining any keys.{{Cite web |last=Team |first=Threat Research |date=2023-06-29 |title=Decrypted: Akira Ransomware |url=https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/ |access-date=2025-03-07 |website=Avast Threat Labs |language=en-US}} The decryptor does not work natively on Linux systems, and if needed it is recommended to use a WINE layer to run the decryptor on a Linux machine.
In April 2025, There's one more public decryptor available for Akira ransomware uses multiple GPUs to perform bruteforce attack on ransomware and cracks private keys of the ransomware. It is only available for Linux variant of Akira Ransomware so far. The tool was developed by Yohanes and available on Github as well as Akira Decryptor with usage guide.{{Cite web |title=Akira Decryptor |url=https://akiradecryptor.com/ |access-date=2025-05-11 |website=Akira Recovery & Decryption |language=en-US}}{{Cite web |title=New Akira ransomware decryptor cracks encryptions keys using GPUs |url=https://www.bleepingcomputer.com/news/security/gpu-powered-akira-ransomware-decryptor-released-on-github/ |access-date=2025-05-11 |website=BleepingComputer |language=en-us}}{{Cite web |last=CONSTANTINESCU |first=Vlad |title=Researcher Releases GPU-Powered Akira Ransomware Decryption Tool |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/researcher-releases-gpu-powered-akira-ransomware-decryption-tool |access-date=2025-05-11 |website=Hot for Security |language=en-us}}
References
{{Reflist}}