Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Akira
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Akira
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to Conti malware.(Citation: BushidoToken Akira 2023)
ID: G1024
Associated Groups: PUNK SPIDER, GOLD SAHARA
Created: 20 Feb 2024
Last Modified: 03 Oct 2024

Associated Group Descriptions
Name Description
PUNK SPIDER (Citation: CrowdStrike PUNK SPIDER)
GOLD SAHARA (Citation: Secureworks GOLD SAHARA)

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Akira uses utilities such as WinRAR to archive data prior to exfiltration.(Citation: Secureworks GOLD SAHARA)
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.(Citation: Secureworks GOLD SAHARA)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Akira will exfiltrate victim data using applications such as Rclone.(Citation: Secureworks GOLD SAHARA)

Software
ID Name References Techniques
S1040 Rclone (Citation: Arctic Wolf Akira 2023) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: DFIR Conti Bazar Nov 2021) (Citation: Rclone Wars) (Citation: Rclone) Exfiltration to Cloud Storage, File and Directory Discovery, Data Transfer Size Limits, Archive via Utility, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Unencrypted Non-C2 Protocol
S1129 Akira (Citation: Kersten Akira 2023) File and Directory Discovery, System Information Discovery, PowerShell, Windows Management Instrumentation, Windows Command Shell, Network Share Discovery, Native API, Inhibit System Recovery, Process Discovery, Data Encrypted for Impact
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Arctic Wolf Akira 2023) (Citation: Deply Mimikatz) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: Arctic Wolf Akira 2023) (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0552 AdFind (Citation: Arctic Wolf Akira 2023) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: Arctic Wolf Akira 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  2. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  3. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  4. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  5. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.