Akira

Malware updated 22 days ago (2024-11-29T14:27:13.565Z)

Download STIX

Preview STIX

Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims globally, as noted by Cyberint researchers. A significant incident occurred when the Akira ransomware gang claimed the theft of sensitive data from Nissan Australia, indicating the scale and severity of its operations. The malware's information leak site went offline in mid-October 2024, suggesting a period of inactivity. The Akira ransomware group updated its data-leak website on November 13-14, 2024, listing over 30 of its latest victims, marking the highest single-day total since the gang began its malicious operations in March of the previous year. The group maintains a blog divided into five sections, including "Leaks" and "News" sections, providing updates and news about their activities. However, mass ransomware targeting is unusual for Akira, hinting at a potential trend among ransomware groups to escalate their operations and exert pressure through mass disclosures. Interestingly, Akira, along with other ransomware strains like Fog, employs a strategy of using legitimate software already present within most networks, known as Living Off The Land Binaries (LOLBins), to conduct malicious operations while bypassing endpoint detection systems. This technique allows these threat actors to blend into normal network activity, effectively hiding in plain sight and complicating timely detection. Researchers from Agger Labs have noted similarities in the tactics, techniques, and practices between Akira, Fog, and other threat actors, highlighting how ransomware crews are continually adapting their approaches.

Description last updated: 2024-11-21T10:32:00.187Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Black Basta is a possible alias for Akira. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	7
Conti is a possible alias for Akira. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	6
Megazord is a possible alias for Akira. Megazord is a new variant of the Akira ransomware, first observed in deployment by Akira threat actors around August 2023. Initially focusing on Windows systems, the malware evolved to target Linux VMware ESXi virtual machines. Early versions of Akira were written in C++, encrypting files with an .a	5
Hive is a possible alias for Akira. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	3
Punk Spider is a possible alias for Akira.	3
Powerranges is a possible alias for Akira.	3
Akira_v2 is a possible alias for Akira. Akira_v2 is a variant of the Akira malware, identified and confirmed by trusted third-party investigations. The Akira threat actors were initially observed deploying the Windows-specific "Megazord" ransomware, with further analysis revealing that a second payload, later identified as Akira_v2, was c	3
Gold Sahara is a possible alias for Akira.	2
REvil is a possible alias for Akira. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	2
Karakurt is a possible alias for Akira. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a	2
Zeon is a possible alias for Akira. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B	2
Trigona is a possible alias for Akira. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope	2
Akira Ransomware Gang is a possible alias for Akira. The Akira ransomware gang, a malicious threat actor in the cybersecurity landscape, has been actively involved in several high-profile cyber attacks. They use sophisticated techniques to infiltrate systems and steal sensitive data, posing significant threats to both private companies and government	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Windows

Vulnerability

Linux

Vpn

Extortion

Encryption

Exploit

Esxi

RaaS

Malware

Reconnaissance

Cybercrime

Encrypt

Cisco

Lateral Move...

Exploits

WinRAR

Veeam

Phishing

Sonicwall

Healthcare

Data Leak

Fraud

Source

Fbi

T1490

SSH

Microsoft

t1003.001

PowerShell

Rapid7

Nissan

Payload

Antivirus

T1133

Bitcoin

T1486

Avast

University

Education

Zero Day

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Clop Malware is associated with Akira. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	6
The Blackbasta Malware is associated with Akira. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet	Unspecified	4
The Cactus Malware is associated with Akira. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus	Unspecified	3
The IceFire Malware is associated with Akira. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwi	Unspecified	2
The Ghost Malware is associated with Akira. The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust and	is related to	2
The TrickBot Malware is associated with Akira. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	2
The Blacksuit Malware is associated with Akira. BlackSuit is a new strain of malware, specifically ransomware, that has been causing significant damage to computer systems. It is believed to be a rebranding of the Royal ransomware gang, as indicated by similarities in code between the two. This suspicion was confirmed by warnings from both the Cy	Unspecified	2
The Werewolves Malware is associated with Akira. The Werewolves group, a new entrant into the malware scene, has been identified as a significant threat due to its use of LockBit3 ransomware and leaked Conti source code. The group, which was first reported by Russian cybersecurity firm F.A.C.C.T. in November 2023, began its operations in June 2023	Unspecified	2
The Ryuk Malware is associated with Akira. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Akira. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	8
The Medusa Threat Actor is associated with Akira. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerou	Unspecified	4
The Ransomhub Threat Actor is associated with Akira. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	Unspecified	3
The Blackbyte Threat Actor is associated with Akira. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. This	Unspecified	3
The Conti Team Threat Actor is associated with Akira. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attack	Unspecified	2
The Scattered Spider Threat Actor is associated with Akira. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	Unspecified	2
The Hunters International Threat Actor is associated with Akira. Hunters International, an active threat actor group since October of the previous year, has been identified as a significant cybersecurity concern. The group has taken over and rebranded the Hive ransomware, despite their disputes about this association. This development followed the disbandment of	Unspecified	2
The Vice Society Threat Actor is associated with Akira. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-20269 Vulnerability is associated with Akira. CVE-2023-20269 is a zero-day vulnerability found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw in software design or implementation has been actively exploited by ransomware groups to gain initial access to corporate networks. The exploitation of	Unspecified	6
The vulnerability CVE-2024-40766 is associated with Akira.	Unspecified	2
The vulnerability Bhi is associated with Akira.	Unspecified	2
The vulnerability CVE-2024-37085 is associated with Akira.	Unspecified	2
The vulnerability CVE-2020-3259 is associated with Akira.	Unspecified	2

Source Document References

Information about the Akira Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	11 days ago	Inside Akira Ransomware's Rust Experiment - Check Point Research
Checkpoint	11 days ago	9th December – Threat Intelligence Report - Check Point Research
Unit42	11 days ago	Threat Assessment: Howling Scorpius (Akira Ransomware)
CrowdStrike	11 days ago	The Rise of Cross-Domain Attacks Demands a Unified Defense \| CrowdStrike
DARKReading	20 days ago	Ransomware Gangs Seek Pen Testers to Boost Quality
Securelist	20 days ago	Non-mobile threat statistics for Q3 2024
DARKReading	a month ago	Akira Ransomware Racks Up 30+ Victims in a Single Day
DARKReading	a month ago	Linux Variant of Helldown Ransomware Targets VMware
DARKReading	a month ago	OpenText Cybersecurity Unveils 2024's Nastiest Malware
Securityaffairs	a month ago	Veeam Backup & Replication exploit reused in new Frag ransomware attack
BankInfoSecurity	2 months ago	Police Doxing of Criminals Raising Ransomware-Attack Stakes
Securityaffairs	2 months ago	Fog and Akira ransomware attacks exploit SonicWall VPN flaw
Securityaffairs	2 months ago	U.S. CISA adds Veeam Backup and Replication flaw to its Known Exploited Vulnerabilities catalog
Pulsedive	2 months ago	Pulsedive Blog \| Cronus Ransomware Threatening Bodily Harm
InfoSecurity-magazine	2 months ago	Microsoft: Nation-States Team Up with Cybercriminals for Attacks
Securityaffairs	2 months ago	Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks
InfoSecurity-magazine	2 months ago	NHS England Warns of Critical Veeam Vulnerability Under Active Exploit
InfoSecurity-magazine	3 months ago	Critical SonicWall SSLVPN Bug Exploited By Ransomware Actors
DARKReading	3 months ago	Akira Ransomware Actors Exploit SonicWall Bug for RCE
Checkpoint	3 months ago	9th September – Threat Intelligence Report - Check Point Research