Threat Actor

Description

Akira is a RaaS (ransomware as a service) group that was first seen in March of 2023. Akira has compromised various verticals indiscriminately and on a global scale - verticals seen are Automotive, Energy, Education, and IT to name a few.

Akira uses double extortion techniques to pressure victims by threatening to publish exfiltrated data on the dark web.

Aliases

GOLD SAHARA
PUNK SPIDER

Common Vulnerabilities and Exposures

Targeted Industries

Agriculture
Business Services
Construction
Consumer Services
Education
Energy
Finance
Government
Healthcare Services
Holding Companies & Conglomerates
Hospitality
Hospitals & Physicians Clinics
Insurance
Law Firms & Legal Services
Manufacturing
Media & Internet
Minerals & Mining
Organizations
Real Estate
Retail
Software
Telecommunications
Transportation

Objectives

Data Exfiltration and Financial Gain

Known Tools Used

7-zip
AdFind
Advanced IP Scanner
Akira
Akira _v2
AnyDesk
CLOUDFLARED
CloudZilla
Cobalt Strike
DiskCheck
FileZilla
HeartCrypt
IMPACKET
KillAV
LaZagne
Level.io
MASSCAN
MEGA
Megazord
Mimikatz
NetExec
NetScan
Ngrok
PCHunter64
POORTRY
PowerShell
PowerTool
PsExec
PuTTY/PSCP
Radmin
Rclone
RDP
SharpDomainSpray
SSH
STONESTOP
SystemBC
VNC
Vssadmin
WinRAR
WinSCP
WMIC

Known Infection Vectors

CVE-2020-3259 (Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software SSL VPN Denial of Service Vulnerability)
CVE-2023-20269 (Cisco ASA and FTD Software Remote Access VPN Authentication Bypass Vulnerability)
CVE-2024-40766 (SonicWall SonicOS Remote Code Execution Vulnerability)
CVE-2024-37085 (VMware ESXi Unauthorized Access Vulnerability)
CVE-2024-40711 (Veeam Backup & Replication Mount Service Privilege Escalation Vulnerability)