Akira

Malware updated an hour ago (2024-11-21T11:31:06.865Z)
Download STIX
Preview STIX
Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims globally, as noted by Cyberint researchers. A significant incident occurred when the Akira ransomware gang claimed the theft of sensitive data from Nissan Australia, indicating the scale and severity of its operations. The malware's information leak site went offline in mid-October 2024, suggesting a period of inactivity. The Akira ransomware group updated its data-leak website on November 13-14, 2024, listing over 30 of its latest victims, marking the highest single-day total since the gang began its malicious operations in March of the previous year. The group maintains a blog divided into five sections, including "Leaks" and "News" sections, providing updates and news about their activities. However, mass ransomware targeting is unusual for Akira, hinting at a potential trend among ransomware groups to escalate their operations and exert pressure through mass disclosures. Interestingly, Akira, along with other ransomware strains like Fog, employs a strategy of using legitimate software already present within most networks, known as Living Off The Land Binaries (LOLBins), to conduct malicious operations while bypassing endpoint detection systems. This technique allows these threat actors to blend into normal network activity, effectively hiding in plain sight and complicating timely detection. Researchers from Agger Labs have noted similarities in the tactics, techniques, and practices between Akira, Fog, and other threat actors, highlighting how ransomware crews are continually adapting their approaches.
Description last updated: 2024-11-21T10:32:00.187Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for Akira. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra
6
Black Basta is a possible alias for Akira. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses
6
Megazord is a possible alias for Akira. Megazord is a new variant of the Akira ransomware, first observed in deployment by Akira threat actors around August 2023. Initially focusing on Windows systems, the malware evolved to target Linux VMware ESXi virtual machines. Early versions of Akira were written in C++, encrypting files with an .a
4
Powerranges is a possible alias for Akira.
3
Hive is a possible alias for Akira. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag
3
Akira_v2 is a possible alias for Akira. Akira_v2 is a variant of the Akira malware, identified and confirmed by trusted third-party investigations. The Akira threat actors were initially observed deploying the Windows-specific "Megazord" ransomware, with further analysis revealing that a second payload, later identified as Akira_v2, was c
2
REvil is a possible alias for Akira. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th
2
Akira Ransomware Gang is a possible alias for Akira. The Akira ransomware gang, a malicious threat actor in the cybersecurity landscape, has been actively involved in several high-profile cyber attacks. They use sophisticated techniques to infiltrate systems and steal sensitive data, posing significant threats to both private companies and government
2
Trigona is a possible alias for Akira. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
2
Gold Sahara is a possible alias for Akira.
2
Punk Spider is a possible alias for Akira.
2
Karakurt is a possible alias for Akira. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a
2
Zeon is a possible alias for Akira. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Windows
Vulnerability
Ransom
Vpn
Linux
Extortion
Exploit
Encryption
Malware
RaaS
Cybercrime
Esxi
Cisco
WinRAR
Lateral Move...
Reconnaissance
Exploits
Encrypt
Veeam
Phishing
Sonicwall
Fbi
Payload
Antivirus
Bitcoin
Rapid7
T1486
T1133
t1003.001
T1490
Fraud
Data Leak
Avast
University
Education
Zero Day
Healthcare
Source
SSH
Microsoft
Nissan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with Akira. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
6
The Blackbasta Malware is associated with Akira. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
4
The Cactus Malware is associated with Akira. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus Unspecified
3
The TrickBot Malware is associated with Akira. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The IceFire Malware is associated with Akira. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
2
The Ryuk Malware is associated with Akira. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The Werewolves Malware is associated with Akira. The Werewolves group, a new entrant into the malware scene, has been identified as a significant threat due to its use of LockBit3 ransomware and leaked Conti source code. The group, which was first reported by Russian cybersecurity firm F.A.C.C.T. in November 2023, began its operations in June 2023Unspecified
2
The Ghost Malware is associated with Akira. "Ghost" refers to a type of malware that was distributed through a network of GitHub accounts, known as the Stargazers Ghost Network. This malicious software was identified by Check Point Research and was spread via phishing repositories. The malware was designed to exploit and damage computer systeis related to
2
The Blacksuit Malware is associated with Akira. BlackSuit is a new strain of malware, specifically ransomware, that has been causing significant damage to computer systems. It is believed to be a rebranding of the Royal ransomware gang, as indicated by similarities in code between the two. This suspicion was confirmed by warnings from both the CyUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Akira. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
8
The Medusa Threat Actor is associated with Akira. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
4
The Blackbyte Threat Actor is associated with Akira. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. ThisUnspecified
3
The Conti Team Threat Actor is associated with Akira. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attackUnspecified
2
The Vice Society Threat Actor is associated with Akira. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Scattered Spider Threat Actor is associated with Akira. Scattered Spider is a notorious threat actor group known for its malicious cyber activities. The group primarily targets enterprise data within Software as a Service (SaaS) applications, including less sophisticated outfits and more well-known systems such as Microsoft cloud environments and on-premUnspecified
2
The Ransomhub Threat Actor is associated with Akira. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaiUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-20269 Vulnerability is associated with Akira. CVE-2023-20269 is a zero-day vulnerability found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw in software design or implementation has been actively exploited by ransomware groups to gain initial access to corporate networks. The exploitation ofUnspecified
6
The vulnerability Bhi is associated with Akira. Unspecified
2
The vulnerability CVE-2020-3259 is associated with Akira. Unspecified
2
Source Document References
Information about the Akira Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 hours ago
DARKReading
5 hours ago
DARKReading
6 days ago
Securityaffairs
10 days ago
BankInfoSecurity
17 days ago
Securityaffairs
23 days ago
Securityaffairs
a month ago
Pulsedive
a month ago
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago
InfoSecurity-magazine
a month ago
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
Checkpoint
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
3 months ago
Unit42
3 months ago
DARKReading
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago