An In-depth Analysis of Akira Ransomware Attacks

Rakesh Dharmavaram
Praveen Yeleswarapu
July 28, 2023

Malware Type: Ransomware

Small and medium-sized businesses worldwide are currently under active targeting by the newly discovered Akira ransomware.

The primary focus of these attacks reportedly lies on the United States and Canada. Since its discovery in March 2023, Akira has already compromised at least 63 victims. Interestingly, Akira is offered as a ransomware-as-a-service.

Preliminary research suggests a connection between the Akira group and threat actors associated with the notorious ransomware operation Conti.

Modus Operandi:

The group gains access to victim environments through VPN services, particularly targeting users who have not enabled multi-factor authentication.

The group follows a pattern where they first steal information from victims then, they proceed to encrypt the data on their systems and employ a double extortion tactic to compel the victims to pay the ransom.

If the victim refuses to pay, the group releases the victim's data on their dark web blog.

They have also been observed using tools like AnyDesk, WinRAR, and PCHunter during their intrusions. These tools are often present in the victim's environment, and their misuse generally goes undetected.

Akira ransomware targets both Windows and Linux-based systems.

Infection Mechanism

The attack process begins when a sample of the Akira ransomware is executed. Upon execution, Akira deletes the Windows Shadow Volume Copies on the targeted device.

The ransomware then encrypts files with a predefined set of extensions. A '.akira' extension is appended to each encrypted file's name during this encryption process.

In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager API.

This step prevents any interference with the encryption process. It encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. To maintain system stability, it refrains from modifying Windows system files, which include files with extensions like .sys, .msi, .dll, .lnk, and .exe.

Attack Mapping: [MITRE ATT&CK Techniques]

  • T1078 - Valid Accounts
  • T1133 – External Remote Service
  • T1059.001- PowerShell
  • T1003.001 - OS Credential Dumping: LSASS Dumping
  • T1112 - Modify Registry
  • T1083 - File and Directory Discovery
  • T1486 Data Encrypted for Impact
  • T1490 Inhibit System Recovery

Data Leak site on Dark Web:


Indicators of Compromise:











  • Periodic Backups and restoration tests to check the restoration integrity.
  • Establish Domain-based Message Authentication, Reporting, and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Enforce strong password policies and multi-factor authentication (MFA).
  • Avoid applying updates/patches available in any unofficial channel.
  • Implement a strict External Device (USB drive) usage policy.
  • Employ data-at-rest and data-in-transit encryption.
  • Consider installing the Enhanced Mitigation Experience Toolkit or similar host-level anti-exploitation tools.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Conduct vulnerability Assessment and Penetration Testing (VAPT) and information security audits of critical networks/systems, especially database servers, from CERT-IN empanelled auditors. Repeat audits at regular intervals.