Akira

Malware updated 6 days ago (2024-10-11T20:01:00.256Z)
Download STIX
Preview STIX
Akira is a notorious malware, specifically a ransomware, that has been active since April 2023. It utilizes dual extortion tactics to compromise various industries, as outlined in a technical analysis shared by cybersecurity researchers. The ransomware's modus operandi includes stealing sensitive data and disrupting operations, often demanding a ransom for the release of the captured information. Notably, Akira has been involved in significant breaches such as the theft of sensitive data from Nissan Australia, causing substantial concern within the cybersecurity community. In a series of attacks, Akira ransomware affiliates have exploited a critical remote code execution (RCE) vulnerability in SonicWall's Gen 5, Gen 6, and some versions of its Gen 7 firewall products. This vulnerability was disclosed and patched by SonicWall last month. However, threat actors, including Akira affiliates, were quick to exploit it before many systems could be updated. Arctic Wolf senior threat intelligence researcher Stefan Hostetler revealed that Akira affiliates compromised SSLVPN accounts on SonicWall devices as an initial access vector for their attacks. Akira is not the only ransomware exploiting these vulnerabilities; other groups targeting the same flaw include Cuba, LockBit, Play, RansomHub, Cactus, Hunters, BlackBasta, and the cybercrime group FIN7. In one instance, the FBI reported that an individual claiming to be a researcher requested approximately $365,000 in Bitcoin from the FBI in exchange for sharing additional information on the group. The supposed researcher claimed that Karakurt, another threat actor, also operated the Akira ransomware encryptor and used the names TommyLeaks and SchoolBoys Ransomware Group in the past.
Description last updated: 2024-10-11T19:16:02.091Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for Akira. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op
6
Black Basta is a possible alias for Akira. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul
6
Megazord is a possible alias for Akira. Megazord is a new variant of the Akira ransomware, first observed in deployment by Akira threat actors around August 2023. Initially focusing on Windows systems, the malware evolved to target Linux VMware ESXi virtual machines. Early versions of Akira were written in C++, encrypting files with an .a
4
Hive is a possible alias for Akira. Hive is a malicious software (malware) known for its ransomware capabilities, which has been highly active in numerous countries, including the US. This malware infects systems often through suspicious downloads, emails, or websites, disrupting operations and stealing personal information. Notably,
3
Powerranges is a possible alias for Akira.
3
Zeon is a possible alias for Akira. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
2
Akira_v2 is a possible alias for Akira. Akira_v2 is a variant of the Akira malware, identified and confirmed by trusted third-party investigations. The Akira threat actors were initially observed deploying the Windows-specific "Megazord" ransomware, with further analysis revealing that a second payload, later identified as Akira_v2, was c
2
REvil is a possible alias for Akira. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attac
2
Akira Ransomware Gang is a possible alias for Akira. The Akira ransomware gang, a malicious threat actor in the cybersecurity landscape, has been actively involved in several high-profile cyber attacks. They use sophisticated techniques to infiltrate systems and steal sensitive data, posing significant threats to both private companies and government
2
Trigona is a possible alias for Akira. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
2
Gold Sahara is a possible alias for Akira.
2
Punk Spider is a possible alias for Akira.
2
Karakurt is a possible alias for Akira. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Windows
Vulnerability
Ransom
Vpn
Extortion
Linux
Encryption
Exploit
Malware
Clop
RaaS
Cybercrime
Cisco
Esxi
Phishing
WinRAR
Veeam
Encrypt
Reconnaissance
Exploits
Lateral Move...
Fbi
Payload
Antivirus
Bitcoin
Rapid7
T1486
T1133
t1003.001
T1490
Fraud
Data Leak
Avast
University
Education
Zero Day
Healthcare
Source
SSH
Microsoft
Nissan
Sonicwall
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackbasta Malware is associated with Akira. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
4
The Cactus Malware is associated with Akira. Cactus is a malicious software (malware) known for its destructive capabilities, particularly in the form of ransomware attacks. It primarily infiltrates systems through suspicious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting operations, or Unspecified
3
The TrickBot Malware is associated with Akira. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steaUnspecified
2
The IceFire Malware is associated with Akira. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
2
The Ryuk Malware is associated with Akira. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The Werewolves Malware is associated with Akira. The Werewolves group, a new entrant into the malware scene, has been identified as a significant threat due to its use of LockBit3 ransomware and leaked Conti source code. The group, which was first reported by Russian cybersecurity firm F.A.C.C.T. in November 2023, began its operations in June 2023Unspecified
2
The Ghost Malware is associated with Akira. "Ghost" refers to a sophisticated malware network that was discovered and dismantled in 2020 following a two-year investigation led by Europol and global law enforcement agencies. The network, also known as the Stargazers Ghost Network, was found to be operating through GitHub accounts, distributingis related to
2
The Blacksuit Malware is associated with Akira. BlackSuit is a malicious software (malware) that has been causing significant harm in the digital world. It infiltrates systems through dubious downloads, emails, or websites, and once inside, it can steal personal data, disrupt operations, or hold data hostage for ransom. BlackSuit malware, which iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Akira. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
8
The Medusa Threat Actor is associated with Akira. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside otheUnspecified
4
The Blackbyte Threat Actor is associated with Akira. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. ThisUnspecified
3
The Conti Team Threat Actor is associated with Akira. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attackUnspecified
2
The Vice Society Threat Actor is associated with Akira. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Scattered Spider Threat Actor is associated with Akira. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. ItUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-20269 Vulnerability is associated with Akira. CVE-2023-20269 is a zero-day vulnerability found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw in software design or implementation has been actively exploited by ransomware groups to gain initial access to corporate networks. The exploitation ofUnspecified
6
The vulnerability Bhi is associated with Akira. Unspecified
2
The vulnerability CVE-2020-3259 is associated with Akira. Unspecified
2
Source Document References
Information about the Akira Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
3 days ago
Securityaffairs
6 days ago
InfoSecurity-magazine
6 days ago
InfoSecurity-magazine
a month ago
DARKReading
a month ago
Checkpoint
a month ago
BankInfoSecurity
a month ago
InfoSecurity-magazine
2 months ago
Unit42
2 months ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
Checkpoint
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
CERT-EU
10 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
7 months ago