Release "Akira Ransomware" IoC's in ART ‐ CREDS

By Ralf Bardoel | 07 Jun 2024

Release "Akira Ransomware" IoC's in ART

Incorporating Akira ransomware IoC’s in ART

This week CREDS releases the Akira malware IoC’s in our friendly virus. This malware was choosen based on its high infection rate. Every month, CREDS integrates the behaviours of a new type of malware into its friendly virus. The behaviours (i.e. Indicators of Compromise) do not cause any damage within the customer’s IT infrastructure but should be noticed by the virus scanner, firewalls and other preventive security measures. Besides testing the behaviour of new malware, the friendly virus will also try to compromise a crown jewel by increasing permissions or moving to other servers. This can be done by exploiting technical weaknesses, logical weaknesses or leaked password on Deepweb. The aim of the attack is once again to compromise crown jewels and test the customer’s resilience against malware attacks.

Akira malware

Since March 2023, Akira ransomware has targeted businesses and critical infrastructure in North America, Europe, and Australia. Initially focusing on Windows systems, in April 2023, Akira expanded to Linux, specifically VMware ESXi virtual machines. By January 1, 2024, the group had attacked over 250 organizations, extorting around $42 million. The initial foothold is often gained via a VPN connection which only requires single factor authentication and/or by misusing mainly Cisco vulnerabilities like CVE-2020-3259 and CVE-2023-20269. Additional methods of initial access include the use of remote desktop services with an easy to guess password and spear phishing.

Once Akira threat actors gain access, they exploit domain controllers by creating new domain accounts to maintain persistence. Open source reports indicate that Akira threat actors use post-exploitation techniques like Kerberoasting to extract credentials from the Local Security Authority Subsystem Service (LSASS). They also use credential scraping tools such as Mimikatz and LaZagne for privilege escalation. For network device discovery, they use tools like SoftPerfect and Advanced IP Scanner, and employ net Windows commands to identify domain controllers and gather domain trust relationship information. In the paragraphs below we discuss the technincal details of the Akira ransomware.

String Encryption

The string encryption of Akira ransomware is based around modulo 0x7f(127) with some extra obfuscation. This can be easily found by finding magic value 0x81020409. The two images below show the main differences between two routines: Akira 1
Akira 2

A constant value from the first image is subtracted from the obfuscated value. In the second image the obfuscated value is subtracted from the constant value. These two variations along with the variance of the constant account for most of the variablity present in the obfuscation.

Process Termination for file access

The Akira ransomware uses restartmanager to make sure certain files are accessible by terminating processes related to the file, like:

- C:\DumpStack.log.tmp
- C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db
- C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm
- C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal
- C:\Users\user\AppData\Local\Microsoft\GameDVR\KnownGameList.bin

The Restart Manager is a Windows feature designed to help applications and installers manage system restarts more effectively by providing a way to close and restart applications and services. Ransomware and other types of malware can misuse the Restart Manager to ensure certain files are not in use by other applications, allowing the malware to access and modify these files.

The malware initializes the Restart Manager session using the RmStartSession function, which creates a new session and provides a session handle
The malware registers the resources (files, services, or applications) it wants to manipulate using RmRegisterResources
The malware calls RmGetList to get a list of applications and services that are using the specified resources. This function returns the names of the processes and services that are using the resources.
The malware uses RmShutdown to shut down the applications and services that are using the resources. This function gracefully closes the applications, allowing them to save data and state. This frees up the targeted files so the malware may access and modify them without inteference

Attempts to remove backups

Akira uses the following command to remove possible backups: powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject". Shadow Copy, also known as Volume Shadow Copy Service (VSS) or Volume Snapshot Service, is a feature in Microsoft Windows that allows the creation of backup copies or snapshots of computer files or volumes. Akira also tries to remove the snapshots from VSS.

Encryption

Akira ransomware uses an embedded RSA Public Key loaded by the Microsoft Enhanced RSA and AES Cryptographic Provider to encrypt passwords:

The ransomware generates random bytes for a key, uses ChaCha20 to encrypt files using said key. During the encryption process files with extensions .sys, .exe, .dll are avoided in order to keep the system running. Furthermore, .akira files are ignored to prevent double encryption.