Akira Ransomware Mutates to Target Linux Systems, Adds TTPs

Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).

An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 

The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.

As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.

British quality-assurance company Intertek was a recent high-profile victim; the group has also targeted manufacturing, professional services, and automotive organizations. 

According to a recent GuidePoint Security’s GRI report, educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims.

The ransomware campaign involves multiple malware samples that carry out various steps, including shadow copy deletion, file search, enumeration, and encryption, when executed.

Akira uses a double-extortion method by stealing personal data, encrypting it, and then extorting money from the victims. If they refuse to pay, the group then threatens to release the data on the Dark Web.

Upon gaining access, the group uses tools including remote desktop apps AnyDesk and RustDesk and encryption and archiving tool WinRAR.

Advanced system information tool and task manager PC Hunter aids the group in laterally moving through the breached systems, along with wmiexc, according to the report.

The group can also disable real-time monitoring to evade detection by Windows Defender, and shadow copies are deleted through PowerShell.  

Ransom note files are dropped into the multiple files across the victim’s system, which contain payment instructions and decryption assistance.  

Anish Bogati security research engineer at Logpoint, says Akira’s use of Windows internal binary (also known as LOLBAS) for execution, retrieving credentials, evading defense, facilitating lateral…