Akira

Malware updated 3 hours ago (2024-10-29T20:05:46.792Z)
Download STIX
Preview STIX
Akira is a form of malware, specifically ransomware, that has been involved in a significant number of cyber attacks since its first appearance. It has been particularly active since August 2024, when it was observed by Arctic Wolf Labs to be used in conjunction with another ransomware called Fog. These two types of ransomware were deployed in various attacks targeting different firewall brands, with Akira accounting for approximately 75% of the cases. The majority of these intrusions were found to exploit SonicWall SSL VPN service vulnerabilities, especially the critical flaw designated as CVE-2024-40766. The Akira ransomware gang has claimed several high-profile data breaches, including an attack on Nissan Australia where sensitive data was reportedly stolen. This persistent and harmful malware continues to pose a substantial threat, as reported by Sophos in December 2023. The attacks appear to be opportunistic rather than targeted at specific industries or organizations, suggesting a broad threat landscape. Despite efforts to counteract this malicious software, visibility gaps and compromised accounts have hampered effective analysis and response. Over 30 instances of Akira and Fog ransomware intrusions have been detected by Arctic Wolf researchers since August 2024, all leveraging unpatched SonicWall SSL VPNs. Indicators from these recent attacks overlap with earlier instances of Akira and Fog ransomware activity, pointing to the continued use and evolution of these malware strains in the cyber threat environment.
Description last updated: 2024-10-29T20:05:46.762Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Black Basta is a possible alias for Akira. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses
6
Conti is a possible alias for Akira. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op
6
Megazord is a possible alias for Akira. Megazord is a new variant of the Akira ransomware, first observed in deployment by Akira threat actors around August 2023. Initially focusing on Windows systems, the malware evolved to target Linux VMware ESXi virtual machines. Early versions of Akira were written in C++, encrypting files with an .a
4
Hive is a possible alias for Akira. Hive is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It often enters undetected through dubious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. In one notable incident, an enti
3
Powerranges is a possible alias for Akira.
3
Akira_v2 is a possible alias for Akira. Akira_v2 is a variant of the Akira malware, identified and confirmed by trusted third-party investigations. The Akira threat actors were initially observed deploying the Windows-specific "Megazord" ransomware, with further analysis revealing that a second payload, later identified as Akira_v2, was c
2
REvil is a possible alias for Akira. REvil, a notorious ransomware, emerged as a significant threat to cybersecurity in the context of an increasing trend towards Ransomware as a Service (RaaS) model in 2020. It is connected with other first-stage malware such as Gootkit and Dridex, which pave the way for the REvil ransomware attack. T
2
Akira Ransomware Gang is a possible alias for Akira. The Akira ransomware gang, a malicious threat actor in the cybersecurity landscape, has been actively involved in several high-profile cyber attacks. They use sophisticated techniques to infiltrate systems and steal sensitive data, posing significant threats to both private companies and government
2
Trigona is a possible alias for Akira. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
2
Gold Sahara is a possible alias for Akira.
2
Punk Spider is a possible alias for Akira.
2
Karakurt is a possible alias for Akira. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a
2
Zeon is a possible alias for Akira. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Windows
Ransom
Vulnerability
Vpn
Linux
Extortion
Exploit
Encryption
Clop
Malware
RaaS
Esxi
Cisco
Cybercrime
Phishing
Exploits
WinRAR
Veeam
Encrypt
Reconnaissance
Lateral Move...
Sonicwall
Payload
Antivirus
Bitcoin
Rapid7
T1486
T1133
t1003.001
T1490
Fraud
Data Leak
Avast
University
Education
Zero Day
Healthcare
Source
SSH
Microsoft
Nissan
Fbi
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackbasta Malware is associated with Akira. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
4
The Cactus Malware is associated with Akira. Cactus is a malicious software (malware) known for its destructive capabilities, particularly in the form of ransomware attacks. It primarily infiltrates systems through suspicious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting operations, or Unspecified
3
The TrickBot Malware is associated with Akira. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The IceFire Malware is associated with Akira. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
2
The Ryuk Malware is associated with Akira. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The Werewolves Malware is associated with Akira. The Werewolves group, a new entrant into the malware scene, has been identified as a significant threat due to its use of LockBit3 ransomware and leaked Conti source code. The group, which was first reported by Russian cybersecurity firm F.A.C.C.T. in November 2023, began its operations in June 2023Unspecified
2
The Ghost Malware is associated with Akira. "Ghost" refers to a sophisticated malware network that was discovered and dismantled in 2020 following a two-year investigation led by Europol and global law enforcement agencies. The network, also known as the Stargazers Ghost Network, was found to be operating through GitHub accounts, distributingis related to
2
The Blacksuit Malware is associated with Akira. BlackSuit is a malicious software (malware) that has been causing significant harm in the digital world. It infiltrates systems through dubious downloads, emails, or websites, and once inside, it can steal personal data, disrupt operations, or hold data hostage for ransom. BlackSuit malware, which iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Akira. Alphv, a threat actor also known as BlackCat, has been identified as a significant player in the cybercrime landscape. The group is responsible for numerous high-profile ransomware attacks, including a major breach of the Morrison Community Hospital, where they pilfered 5TB of data. Additionally, AlUnspecified
8
The Medusa Threat Actor is associated with Akira. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside otheUnspecified
4
The Blackbyte Threat Actor is associated with Akira. BlackByte, a threat actor believed to be an offshoot of the notorious Conti group, has been observed by cybersecurity experts exploiting a recently disclosed VMware ESXi vulnerability (CVE-2024-37085) to gain control over virtual machines and escalate privileges within compromised environments. ThisUnspecified
3
The Conti Team Threat Actor is associated with Akira. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attackUnspecified
2
The Vice Society Threat Actor is associated with Akira. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Scattered Spider Threat Actor is associated with Akira. Scattered Spider is a financially motivated threat actor known for its sophisticated techniques and broad range of targets, including all major cloud service providers. This group seeks to maintain persistence on targeted networks, often using phishing to obtain login credentials and gain access. ItUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-20269 Vulnerability is associated with Akira. CVE-2023-20269 is a zero-day vulnerability found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw in software design or implementation has been actively exploited by ransomware groups to gain initial access to corporate networks. The exploitation ofUnspecified
6
The vulnerability Bhi is associated with Akira. Unspecified
2
The vulnerability CVE-2020-3259 is associated with Akira. Unspecified
2
Source Document References
Information about the Akira Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
3 hours ago
Securityaffairs
9 days ago
Pulsedive
12 days ago
InfoSecurity-magazine
14 days ago
Securityaffairs
18 days ago
InfoSecurity-magazine
18 days ago
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
Checkpoint
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
2 months ago
Unit42
2 months ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
3 months ago
Checkpoint
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago