Akira Ransomware Mutates to Target Linux Systems

Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).

An in-depth report on Akira from LogPoint breaks down the "highly sophisticated" ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 

The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.

As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.

British quality-assurance company Intertek was a recent high-profile victim; the group has also targeted manufacturing, professional services, and automotive organizations. 

According to a recent GuidePoint Security's GRI report, educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims.

The ransomware campaign involves multiple malware samples that carry out various steps, including shadow copy deletion, file search, enumeration, and encryption, when executed.

Akira uses a double-extortion method by stealing personal data, encrypting it, and then extorting money from the victims. If they refuse to pay, the group then threatens to release the data on the Dark Web.

Upon gaining access, the group uses tools including remote desktop apps AnyDesk and RustDesk and encryption and archiving tool WinRAR.

Advanced system information tool and task manager PC Hunter aids the group in laterally moving through the breached systems, along with wmiexc, according to the report.

The group can also disable real-time monitoring to evade detection by Windows Defender, and shadow copies are deleted through PowerShell.  

Ransom note files are dropped into the multiple files across the victim's system, which contain payment instructions and decryption assistance.  

Anish Bogati security research engineer at Logpoint, says Akira's use of Windows internal binary (also known as LOLBAS) for execution, retrieving credentials, evading defense, facilitating lateral movement, and deleting backups and shadow copies, is the group's most concerning TTP.

"Windows internal binaries normally won't be monitored by endpoint protection, and they are already present in the system so adversaries don't have to download them into the system," he explains.

Bogati adds that the ability to create a task configuration (location of files or folders to be encrypted, determining the percentage of data to be encrypted) can't be overlooked, as it automatically sets up the configuration without manual intervention.

Enacting Countermeasures

"The evolution of multiple malware variants and its capabilities suggest that the threat actors quickly adapt according to trends," Bogati notes. "The Akira group is well-experienced and well-versed in defense capabilities as they abuse Windows internal binary, API, and legitimate software."

He recommends organizations implement MFA and limit permissions to prevent brute-forcing of credentials, as well as keeping software and systems updated to stay ahead of adversaries constantly exploiting newly discovered vulnerabilities. 

Auditing of privileged accounts and regular security awareness training were among the other recommendations contained in the report. 

The report also advised network segmentation to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati says organizations should also consider blocking unauthorized tunneling and remote access tools, such as Cloudflare ZeroTrust, ZeroTier, and TailScale, which he explains are often used by adversaries to covertly access compromised networks.

Ransomware Landscape Marked by New Actors

The gang, named for a 1988 Japanese anime cult classic featuring a psychopathic biker, emerged as a cybercriminal force to be reckoned with in April of this year and is primarily known for attacking Windows systems.

The shift by Akira into Linux enterprise environments follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is among a fresh crop of ransomware actors energized the threat landscape, which has been marked by an emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims.

Newer ransomware groups include 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

"By looking at their victim count, Akira is likely to become one of the most active threat actors," Bogati warns. "They're developing multiple variants of their malware with various capabilities, and they will not miss any opportunity to exploit unpatched systems."