The dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in 2022, I blogged about how following the Conti Leaks, the operators of Conti continued on via multiple rebranded ransomware campaigns, such as Royal, BlackBasta, and Quantum, among others.
Since my last two blogs on the Conti/TrickBot gang, multiple members of the Conti and TrickBot group have been officially sanctioned by the US and UK government in February 2023 and September 2023, formally confirming attribution to Russia-based threat actors. The sanctions are a vital step in the right direction and helps the public and law makers understand what organized cybercrime looks like and the scale of the fight on our hands.
In this blog, however, I wanted to explore the ransomware campaign called Akira that appeared in March 2023 and focus on how Akira connected to Conti. Akira is a rapidly growing threat to civil society and critical infrastructure and is the ransomware group I believe researchers and governments should be monitoring more closely.
Background on Akira
Adversaries and Victims
Firstly, the operators of Akira ransomware are financially motivated cybercriminals. They are in it for the money and have made a lot of it already in 2023, how much exactly is not clear. But public media reports state that between March and July 2023, the group has compromised at least 63 victims, which is around four organizations hit by Akira ransomware per week that we know about. From negotiations seen by BleepingComputer, the ransomware gang demands ransoms ranging from a $200,000 to millions of dollars.
The group performs the usual double extortion campaigns, whereby the victim’s files and information are stolen and shared to their Tor data leak site (DLS) if the ransom is not paid. Private cybersecurity vendors also track the Akira operators as Punk Spider (CrowdStrike) and Gold Sahara (Secureworks).
Alongside being connected to Conti, the Akira operators are likely connected to other ransomware operations too, such as Snatch and BlackByte. In an August 2023, researchers found an open directory of tools used by an Akira operator that were also likely being used by a threat actor with connections to Snatch ransomware. In July 2023, media reports shared that Yamaha’s Canadian music division was listed on the Akira DLS, which was after they were listed on BlackByte’s DLS in June 2023. The connections between Akira and other ransomware gangs highlight that those who deploy Akira are likely affiliated with more than one ransomware crew, as Microsoft found is usually the case among affiliates.
Akira’s victims have been located around the world, but most that have appeared on their Tor DLS have been from North America. Akira attacks have impacted a wide range of industries, such as education, financial services, manufacturing, professional services, and healthcare. Most of the victims have been small-to-medium businesses (SMBs) with a few recognizable brand names, such as Yamaha.
Capabilities and Infrastructure
There have been multiple versions of the Akira ransomware family and it has been deployed across Windows domains and Hyper-V virtual infrastructure, as well as VMware ESXi hypervisors with Linux virtual machines (VMs). The first version of Akira was written in C++ and appended files with the “.akira” extension and dropped a ransom note called “akira_readme.txt” that is at least partially based on Conti’s V2 source code, according to malware analysts at Avast who also released a decryptor for Akira on 29 June 2023. However, a new version was shortly released that patched the decryption flaw on 2 July 2023. Since then, in late August 2023, a new revamped version of Akira appeared developed in Rust. This time it was called “megazord.exe” and appended “.powerranges” extension to encrypted files.
The most common initial access vector the Akira operators have used appears to be via brute-forcing Cisco VPN devices with single-factor authentication only. The Akira operator that was also tied to Snatch was also found exploiting Fortinet devices vulnerable to CVE-2019-6693 and CVE-2022-40684 for initial access. Incident responders have also said that they believe Akira operators likely purchase VPN credentials from cybercrime marketplaces fuelled by infostealer malware botnets or from potentially from initial access brokers (IABs).
By extracting tools and tradecraft from numerous threat reports on Akira, the operators have been known to leverage the same arsenal of tools time and time again, but may substitute some depending on the environment. These can be broken down into the following categories:
- External Reconnaissance: Masscan and ReconFTW
- Internal Enumeration: PCHunter64, Advanced IP Scanner, LANsweeper, SharpHound, AdFind, SoftPerfect NetScan, and Windows Nltest
- Credential Theft: Minidump, Mimikatz, LaZagne, and DonPAPI
- Persistence: RMM tools, such as AnyDesk, RustDesk, Radmin, and ScreenConnect, as well as disabling firewalls followed by enabling RDP, and PuTTy. The SystemBC crimeware RAT has also been used Akira.
- Defense Evasion: Disable EDR tools with Terminator.exe and ToolPow, as well as batch scripts for disabling LSA Protection and Windows Defender
- Lateral Movement: Impacket (wmiexec.py and atexec.py), RDP, and SSH
- Collection: Searching and downloading files from Microsoft SharePoint
- Exfiltration: Compression tools (7zip, WinRAR, etc) as well as Rclone, FileZilla, and WinSCP
- Command-and-control: Cloudflare Tunnel (Cloudflared), MobaXterm, and Ngrok
- Impact: Akira ransomware, usually launched via PsExec
After the ransomware has been deployed and the data is stolen, Akira begins the negotiations. This includes requesting the victim to visit Akira’s Green MS-DOS style Tor Negotiation site (akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion) via the ransom note. And if the victim refuses to pay the ransom, they are listed on Akira’s DLS (akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion).
Akira's similarities with Conti
- To start, both Conti and Akira are double extortion ransomware groups and Akira appeared almost a year after Conti shut down its Tor DLS. Many of Akira’s victims are the same as Conti’s, those being primarily North American businesses. Plus, much like Conti, there are versions of Akira ransomware that can target Windows domains or VMware ESXi hypervisors with Linux VMs.
- Malware analysts have noted several code similarities between Conti and Akira ransomware, such as the list of file type and directory exclusions, the structure of the file tail, the implementation of ChaCha 2008, and the code for key generation.
- Examples of negotiation chats between Akira and their victims have also been made public. These logs revealed that Akira operators use a script to begin negotiations just as Conti did, demonstrating behavioral similarity in campaign style.
- In August 2021, a disgruntled member of Conti leaked the gang’s playbook for launching templated attacks. Conti created this playbook to scale up operations and launch ransomware attacks more frequently, earning them more money. Akira campaigns have followed a very similar set of TTPs as the Conti playbook. The following tools used by Akira operators that are also mentioned in the Conti playbook include: Minidump, Mimikatz, AdFind, PChunter, PsExec, NetScan, Windows nltest, PuTTy, WinSCP, FileZilla, and AnyDesk.
- The SystemBC crimeware RAT that has been used in Akira campaigns has also been used by Conti and Ryuk operators. In Microsoft also highlighted that it is a specific operator they track as DEV-0237 that shifted SystemBC from Cobalt Strike during Conti campaigns.
- Blockchain analytics on Akira’s Bitcoin transactions by incident responders also revealed that on at least three occasions, Akira operators have sent ransom funds to addresses affiliated with known Conti wallets. These transactions also equalled more than 600,000 USD.
Based on the evidence gathered about Akira, it is my assessment that the operators behind Akira ransomware as linked to Conti with high confidence. The are numerous links at multiple levels, there is a combination of numerous technical and behavioral ties between the two groups.
One of the most telling connection is arguably the bitcoin transactions between Akira and known Conti wallets. The lack of any serious blockchain obfuscation techniques, such as using a mixing service or chain hopping, has made it trivial for investigators trace Akira ransom payments ultimately back to Conti with high confidence.
Even without these Bitcoin transactions as damning evidence, there are clear similarities between Akira and Conti TTPs. However, due to the Conti ransomware source code getting leaked as well as the playbook getting leaked, it is not impossible for threat actors to imitate Conti's success. But the fact Akira is sending funds back to Conti, does make it seem they are almost certainly working with former Conti members (who are sanctioned).
Conclusion
If you are a victim of Akira and you are considering paying the ransom, you are potentially dealing with the sanctioned Russian men mentioned at the start of this blog. Paying the ransom is funding the Russia-based organized cybercrime syndicates that threaten our civil society and critical infrastructure. Think about that next time a hospital is ransomed. Company executives at victim organizations need to realize that paying a sanctioned Russia-based cybercriminal group for a decryption key is hardly different from terrorist financing.
Article Link: Tracking Adversaries: Akira, another descendent of Conti