The new Akira ransomware operation has slowly built up a list of victims as they break into corporate networks around the world, encrypt files, and then demand million-dollar ransoms.
Launched in March 2023, Akira claims to have already carried out attacks against sixteen companies. These companies belong to various sectors, including education, finance, real estate, manufacturing and consulting.
While another ransomware named Akira was released in 2017these operations are not believed to be related.
The Akira Cipher
A sample of Akira ransomware was discovered by MalwareHunterTeamwho shared a sample with BleepingComputer so we could analyze it.
Once executed, Akira will delete shadow copies of Windows volumes on the device by running the following PowerShell command:
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
The ransomware will then proceed to encrypt files containing the following file extensions:
.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx
During encryption, the encryptor will skip files found in the Recycle Bin, System Volume Information, Startup, ProgramData, and Windows folders. It will also avoid encrypting Windows system files with .exe, .lnk, .dll, .msi and .sys file extensions.
While encrypting files, the ransomware encrypts the files and appends the .akira the extension will be appended to the file name.
For example, a file named 1.doc would be encrypted and renamed to 1.doc.akira, as shown in the encrypted folder below.
Akira also uses the Windows Restart Manager API to close processes or stop Windows services that may keep a file open and prevent encryption.
Each computer folder will contain a ransom note named akira_readme.txt which includes information about what happened to a victim’s files and links to Akira’s data leak site and trading site.
“Regarding your data, if we can’t agree, we’ll try to sell personal information/trade secrets/databases/source code – generally anything of market value. noir – to multiple threat actors at once. Then all of this will be posted on our blog,” Akira’s ransom note threatens.
Each victim has a unique negotiation password that is entered into the threat actor’s Tor site. Unlike many other ransomware operations, this trading site simply includes a chat system that the victim can use to negotiate with the ransomware gang.
Data leak site used to extort victims
Like other ransomware operations, Akira will breach a corporate network and spread laterally to other devices. Once threat actors obtain Windows domain administrator credentials, they will deploy the ransomware throughout the network.
However, before encrypting files, threat actors will steal company data to leverage their extortion attempts, warning victims that they will be made public if a ransom is not paid.
The Akira gang has put a lot of effort into their data leak site, giving it a retro look where visitors can navigate it by typing commands as shown below.
As of this writing, Akira has leaked the data of four victims on his data leak site, with the size of the leaked data ranging from 5.9 GB for one company to 259 GB for another.
Based on negotiations seen by BleepingComputer, the ransomware gang demands ransoms ranging from $200,000 to millions of dollars.
They are also willing to reduce ransom demands for companies that don’t need a decryptor and just want to prevent stolen data from leaking.
The ransomware is currently being analyzed for its vulnerabilities, and BleepingComputer does not advise victims to pay the ransom until it is determined whether a free decryptor can recover files for free.