#StopRansomware: Akira Ransomware
This Cybersecurity Advisory addresses the Akira ransomware, outlining its tactics, techniques, and procedures, along with indicators of compromise, to aid organizations in bolstering their defenses. Since its emergence in 2023, Akira has targeted diverse sectors globally, impacting over 250 organizations and amassing an estimated $42 million in ransom payments. The ransomware exploits vulnerabilities in VPN services, RDP, spear phishing, and compromised credentials to gain initial access. Following infiltration, Akira actors establish persistence, escalate privileges, and conduct reconnaissance within the compromised network. They employ defense evasion techniques, including disabling security software, and utilize a double-extortion model, exfiltrating data before encrypting systems. Data exfiltration is carried out through tools like FileZilla, WinRAR, and RClone, with command-and-control channels established via AnyDesk, MobaXterm, and similar tools. Encryption is achieved using a robust hybrid method combining ChaCha20 and RSA algorithms, hindering system recovery. Victims receive ransom notes with instructions for contacting the threat actors, with payments demanded in Bitcoin. The advisory further details leveraged tools, indicators of compromise, and two distinct Akira variants, including the newer Akira_v2, highlighting its enhanced functionalities and evolution.