Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Akira
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Akira
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)
ID: G1024
Associated Groups: PUNK SPIDER, GOLD SAHARA, Howling Scorpius
Version: 2.0
Created: 20 Feb 2024
Last Modified: 11 Mar 2025

Associated Group Descriptions
Name Description
PUNK SPIDER (Citation: CrowdStrike PUNK SPIDER)
GOLD SAHARA (Citation: Secureworks GOLD SAHARA)
Howling Scorpius (Citation: Palo Alto Howling Scorpius DEC 2024)

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Akira uses utilities such as WinRAR to archive data prior to exfiltration.(Citation: Secureworks GOLD SAHARA)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Akira has used PowerShell scripts for credential harvesting and privilege escalation.(Citation: Cisco Akira Ransomware OCT 2024)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.(Citation: Secureworks GOLD SAHARA)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Akira will exfiltrate victim data using applications such as Rclone.(Citation: Secureworks GOLD SAHARA)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Akira has disabled or modified security tools for defense evasion.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Akira has used legitimate names and locations for files to evade defenses.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Akira has used binary padding to obfuscate payloads.(Citation: Cisco Akira Ransomware OCT 2024)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Akira has used RDP for lateral movement.(Citation: Cisco Akira Ransomware OCT 2024)

Software
ID Name References Techniques
S1191 Megazord (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Palo Alto Howling Scorpius DEC 2024) Service Stop, File and Directory Discovery, Log Enumeration, Process Discovery, Data Encrypted for Impact, Windows Command Shell
S1040 Rclone (Citation: Arctic Wolf Akira 2023) (Citation: DFIR Conti Bazar Nov 2021) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: Rclone Wars) (Citation: Rclone) Archive via Utility, File and Directory Discovery, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration to Cloud Storage, Data Transfer Size Limits, Exfiltration Over Unencrypted Non-C2 Protocol
S1129 Akira (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Kersten Akira 2023) Windows Management Instrumentation, Network Share Discovery, System Information Discovery, Native API, File and Directory Discovery, Process Discovery, PowerShell, Data Encrypted for Impact, Windows Command Shell, Inhibit System Recovery
S1194 Akira _v2 (Citation: CISA Akira Ransomware APR 2024) (Citation: Cisco Akira Ransomware OCT 2024) (Citation: Palo Alto Howling Scorpius DEC 2024) Create or Modify System Process, Service Stop, File and Directory Discovery, Execution Guardrails, Log Enumeration, Data Encrypted for Impact
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Arctic Wolf Akira 2023) (Citation: Deply Mimikatz) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0349 LaZagne (Citation: Arctic Wolf Akira 2023) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S0552 AdFind (Citation: Arctic Wolf Akira 2023) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0029 PsExec (Citation: Arctic Wolf Akira 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  2. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
  3. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  4. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
  5. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  6. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.
  7. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.