Akira

Threat Actors · Akira

· ATT&CK GroupG1024

GOLD SAHARAPUNK SPIDERHowling Scorpius

Techniques

Software

Tactics

Aliases

Description

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)

Tactic Coverage

stealth (3)impact (3)discovery (2)persistence (2)initial access (2)collection (2)lateral movement (1)execution (1)privilege escalation (1)command and control (1)credential access (1)exfiltration (1)defense impairment (1)

Techniques Used (17)

T1018Remote System Discovery

discovery

T1021.001Remote Desktop Protocol

lateral movement

T1027.001Binary Padding

stealth

T1036.005Match Legitimate Resource Name or Location

stealth

T1059.001PowerShell

execution

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 17 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (8)

S0552AdFindtool S1129Akiramalware S1194Akira _v2malware S0349LaZagnetool S1191Megazordmalware S0002Mimikatztool S0029PsExectool S1040Rclone

References (11)

https://attack.mitre.org/groups/G1024 https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf https://www.crowdstrike.com/adversaries/punk-spider/https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/https://www.secureworks.com/research/threat-profiles/gold-sahara https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/