Overview Akira is a prolific ransomware that has been operating since March 2023 and has targeted multiple industries, primarily in North America, the UK, and Australia. It functions as a Ransomware as a Service (RaaS) and exfiltrates data prior to encryption, achieving double extortion. According to the group’s leak site, they have infected over 196 organizations. Fig.1 Akira TOR leak site. When looking at the history of Akira, one must go back to the Conti group. They suffered a massive leak that divulged their source code, chat logs, playbooks, and storage servers in March of 2022. The group then ceased operations in May 2022. This resulted in many of its members and affiliates resurfacing later under distinct brands such as Black Basta, BlackByte, and Krakurt. Akira is another such ransomware that not only has code overlap with Conti but also has had operators that mingled funds with Conti affiliated wallet addresses. This shows that there is a clear overlap between Conti and Akira. Technique Tactics & Procedures The TTPs used by actors associated with RaaS are similar, and Akira is no different. Fig.2 Campaign flow of a typical Akira attack. A typical campaign starts when Akira affiliates use compromised credentials or vulnerabilities to gain initial access to a victim’s environment. Initial Access| Compromised credentials, likely purchased from initial access brokers for entry points that did not use MFA. —|— Exploiting vulnerabilities such as CVE-2021-21972,…Read More