New Akira Ransomware Samples Point to Further Evolution

The operators of the Akira ransomware-as-a-service (RaaS) group appear to be moving to a new encryptor and returning to their previously successful model of double-extortion after spending the last few months just exfiltrating data from victims. New research from Cisco Talos shows that the group’s affiliates are employing a new C++-based encryptor for both Linux and Windows systems.

Why It Matters: The Akira ransomware group has been active since early 2023 and has shown the ability to develop multiple custom tools, including encryptors written in both Rust and C++, and also have the capability of targeting Windows systems and VMware ESXi systems on Linux. The group has racked up tens of millions of dollars in profits since it hit the scene and has continually evolved its tactics and techniques in that time. 

Key Details: 

• Akira affiliates are known to exploit public vulnerabilities for initial access, including a flaw in Cisco VPN services (CVE-2023-20269) and another in VMware ESXi (CVE-2024-37085). They also sometimes abuse stolen credentials, exploit RDP, and use spear phishing to gain access to a target. 

• The group initially used the popular double-extortion method, which involves stealing sensitive data from a compromised network and holding it for ransom while also encrypting the system and demanding a separate ransom. In early 2024 affiliates cast aside the encryption part of the scheme and simply started stealing data and demanding a ransom for its return. 

• Since early September, Akira affiliates have been deploying a new version of the Windows encryptor, which appears to be an updated version of the previous sample. The new samples also use the ChaCha8 stream cipher, rather than ChaCha20, a move that’s likely designed for speed. 

“From our recent analysis, we suspect that Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++. This could be because of a potential refocus on incremental iterations with stability and reliability in their operations over innovation. The cross-platform consistency indicates the adversaries’ focus on an adaptable payload, enabling the threat actor to target multiple operating systems with minimal changes,” the Talos advisory says. 

Akira has been one of the more active ransomware groups in the last couple of years and has shown the ability to adapt its TTPs and develop new tools as needed. It’s likely that the group will continue to evolve and shift its tactics as the landscape changes and defenders respond. 

“We assess that Akira and its affiliates will continue prioritizing attacks against VMWare’s ESXi and Linux environments throughout 2024, echoing a broader trend observed across the ransomware landscape. Adversary targeting of these platforms is driven by their prevalence in enterprise infrastructure, hosting critical infrastructure and high-value data, and their capacity for mass encryption and disruption with minimal lateral movement,” the advisory says. 

What to Do Now: Scan your environment for systems vulnerable to the known flaws that Akira uses for initial access and apply patches as needed.