Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Akira
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Akira
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)
ID: G1024
Associated Groups: PUNK SPIDER, Howling Scorpius, GOLD SAHARA
Version: 2.0
Created: 20 Feb 2024
Last Modified: 11 Mar 2025

Associated Group Descriptions
Name Description
PUNK SPIDER (Citation: CrowdStrike PUNK SPIDER)
Howling Scorpius (Citation: Palo Alto Howling Scorpius DEC 2024)
GOLD SAHARA (Citation: Secureworks GOLD SAHARA)

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Akira uses utilities such as WinRAR to archive data prior to exfiltration.(Citation: Secureworks GOLD SAHARA)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Akira has used PowerShell scripts for credential harvesting and privilege escalation.(Citation: Cisco Akira Ransomware OCT 2024)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.(Citation: Secureworks GOLD SAHARA)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Akira will exfiltrate victim data using applications such as Rclone.(Citation: Secureworks GOLD SAHARA)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Akira has disabled or modified security tools for defense evasion.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Akira has used legitimate names and locations for files to evade defenses.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Akira has used binary padding to obfuscate payloads.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Akira has used RDP for lateral movement.(Citation: Cisco Akira Ransomware OCT 2024)

Software
ID Name References Techniques
S1191 Megazord (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Palo Alto Howling Scorpius DEC 2024) Windows Command Shell, Service Stop, Log Enumeration, Process Discovery, Data Encrypted for Impact, File and Directory Discovery
S1040 Rclone (Citation: Arctic Wolf Akira 2023) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: DFIR Conti Bazar Nov 2021) (Citation: Rclone Wars) (Citation: Rclone) Exfiltration to Cloud Storage, File and Directory Discovery, Data Transfer Size Limits, Archive via Utility, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Unencrypted Non-C2 Protocol
S1129 Akira (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Kersten Akira 2023) File and Directory Discovery, System Information Discovery, PowerShell, Windows Management Instrumentation, Windows Command Shell, Network Share Discovery, Native API, Inhibit System Recovery, Process Discovery, Data Encrypted for Impact
S1194 Akira _v2 (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Palo Alto Howling Scorpius DEC 2024) Create or Modify System Process, Log Enumeration, Data Encrypted for Impact, File and Directory Discovery, Service Stop, Execution Guardrails
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Arctic Wolf Akira 2023) (Citation: Deply Mimikatz) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: Arctic Wolf Akira 2023) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0552 AdFind (Citation: Arctic Wolf Akira 2023) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: Arctic Wolf Akira 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
  2. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.
  3. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
  4. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  5. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  6. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  7. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
  8. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.