Akira Ransomware Report

Akira ransomware is a strain of ransomware that emerged in March 2023 and has since targeted various industry sectors, including education, finance, real estate, manufacturing, and consulting.

The ransomware deletes shadow volume copies on victim devices via a PowerShell command prior to encrypting victim files and adding the ‘.akira’ file extension. Akira uses the Windows Restart Manager application programming interface (API) to terminate processes or shut down Windows services that keep files open so as not to interfere with encryption. Prior to encryption, Akira steals corporate data from its victims to use as leverage in negotiations for unlocking encrypted files later. The malware gains initial access to systems through various means, including search engine optimisation (SEO) poisoning or malvertising.

Akira’s ransom notes contain ‘akira_readme.txt’ files that contain links to Akira’s ransomware extortion blog and instructions on how victims can negotiate the release of their files.

The ransomware exploited at least 16 victims within the first two months of its existence. Akira ransomware operators use a unique negotiation system and host a TOR-based (.onion) website where victims are listed along with any stolen data, should a victim fail to comply with the ransom demands.

Impact

Successful exploitation by Akira ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can
assist threat actors with future attacks.