Skip to main
Toggle notifications
  • EMERGENCIES

    999
  • EMERGENCY SMS

    70999
  • HOTLINE

    1800 255 0000
  • I-Witness

The Cyber Security Agency of Singapore (CSA), the Singapore Police Force (SPF) and the Personal Data Protection Commission (PDPC) have received several reports from organisations affected by the Akira ransomware variant.  This advisory provides information on Akira ransomware variant, observed Tactics, Techniques and Procedures (TTPs) employed by Akira affiliated threat actors to compromise their victims’ networks and recommended measures for organisations to mitigate the threats posed. Information from this advisory is drawn from various sources, including but not limited to National CERT publications, open-source information, and threat intelligence reports.

Background of Akira

The Akira ransomware variant first emerged in March 2023. The Akira threat group operates as an affiliate-based ransomware  threat group, targeting both Windows and Linux systems under a "ransomware-as-a-service" (RaaS) model. The Akira threat group provides its software and infrastructure to cybercriminal groups (affiliates) in return for a percentage of any ransom paid by victim organisations. 

The Akira threat group has been observed to target businesses and organisations worldwide across a variety of sectors including education, finance, manufacturing, and healthcare, with affiliates observed to be indiscriminate in their targets. Ransom amounts proposed will also be based on their study of the victim organisations’ business profile.

Observed Tactics, Techniques and Procedures (TTPs)

Initial Access 
Akira affiliates have been observed to leverage a range of techniques to gain initial access to a victim organisation’s network. These techniques include:

  • Exploit known vulnerabilities (e.g. Cisco VPN service without Multi-Factor Authentication (MFA) configured)
  • Brute force external-facing services such as Remote Desktop Protocol (RDP)
  • Deploy social engineering campaigns to trick victims into downloading malicious software that obtains user credentials or inputting their credentials on phishing websites
  • Use compromised credentials that may have been obtained by the affiliate from access brokers

Persistence and Privilege Escalation

Akira affiliates have been observed to create a new domain account on the compromised system to establish persistence. Akira affiliates leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS).  They also use credential scraping tools like Mimikatz and LaZagne to facilitate privilege escalation. 

Discovery

Akira affiliates have been observed using specific tools to gain knowledge on the victim's system and its connected network, such as PCHunter and SharpHound to gather system information, AdFind alongside the net Windows command and nltest to obtain domain information. Advanced IP Scanner and MASSCAN are used to discover other remote systems for lateral movement.

Defence Evasion and Lateral Movement

Akira affiliates have been observed to use tools such as PowerTool or KillAV, that exploits the Zemana AntiMalware driver to terminate antivirus-related processes, as well as utilise Windows Remote Desk Protocol (RDP) to move laterally within the victim's network.

Exfiltration and Impact

Akira affiliates employs several methods to exfiltrate sensitive company information prior to encryption. These include the use of legitimate tools such as WinRAR, to split and compress data prior to exfiltration, FileZilla or WinSCP, which are File Transfer Protocol tools, or rclone, an open-source command line cloud storage manager which can be used with filesharing services like Mega. 

Once data exfiltration is completed, Akira encrypts data using a hybrid encryption algorithm which involves combining a ChaCha20 with an RSA for speed and secure key exchange. Encrypted files are appended with either the .akira or .powerranges extension. Akira’s encryptor, w.exe utilises PowerShell commands to delete volume shadow copies (VSS) on Windows systems to inhibit system recovery. Additionally, a ransom note named fn.txt will appear in both the root directory (C:) and users’ directory (C:\Users).

The Akira ransom note typically includes a code unique to each victim along with instructions to contact the affiliates through a .onion URL. Ransom payments are requested in Bitcoin, which are directed to cryptocurrency wallet addresses specified by the affiliates. The TOR site (.onion) where victims contact the affiliates, contains stolen information and a list of the affected organisations.

20240607_joint_advisory_on_akira_ransomware 1
Image 1 – Akira TOR site

Please refer to Annex A for observed TTPs employed by Akira affiliates mapped to the MITRE ATT&CK framework for Enterprise.

Indicators of Compromise (IOCs)

There are several IOCs observed to be associated with Akira. Please refer to Annex B for a list of IOCs and malware characteristics of Akira, which is updated as of April 2024.

Recommended Prevention and Mitigation Measures

Organisations are encouraged to implement and regularly monitor the compliance of the following mitigation measures and policies to strengthen their cybersecurity posture and reduce the risks and impact of a ransomware incident.

Use Strong Passwords and Multi-factor Authentication (MFA) 

Organisations should enforce strong password policies requiring the use of strong passwords or passphrases requiring at least 12 characters with mixed password composition (upper case letter,  lower case letter, numbers, special characters) and implement MFA to minimise the risk of unauthorised access to all internet-facing services (e.g. VPNs), and accounts that access critical systems. 

Use Anti-Virus/Anti-Malware Software 

Organisations should install reputable anti-virus/anti-malware software on their computers and networks to detect the presence of Akira or other ransomware variants. This can be done through real-time monitoring of system processes, network traffic, and file activity for IOCs typically associated with the malware. The software can be configured to block the execution of suspicious files, prevent unauthorised remote connections, and restrict access to sensitive files and folders. 

Update and Patch Regularly 

Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business. If immediate patching is not possible or feasible, vendor-provided mitigations should be implemented. For applications that have reached end-of-life (EoL), organisations are recommended to migrate to applications that are supported. 

Review Settings on Exposed Services and Open Ports 

Organisations should review exposed services and open ports such as RDP port 3389 and SMB port 445 in their network and restrict connections only to trusted hosts to prevent the spread of ransomware. Disable legacy SMB versions (i.e. SMBv1) and only use the latest version (i.e. SMBv3) if possible.

Implement Network Segregation or Segmentation 

Organisations can consider implementing network segmentation that divides a larger network into smaller sub-networks with limited inter-connectivity between them. This will control traffic flow between the sub-networks, prevent lateral movement and limit the spread of ransomware, should one part be compromised. Implementing network segmentation also generates logs for traffic flow between various sub-networks. Organisations should monitor these logs for any suspicious activities and carry out remediation measures, where necessary. Organisations can also consider restricting Internet access (e.g. via blacklisting or whitelisting), using a risk-based approach, especially where there is direct access from endpoints to large amounts of personal or sensitive data. When these endpoints, such as employee laptops, are compromised, there is a higher risk of personal data being exfiltrated. 

Maintain Routine Backups of Data 

Organisations should implement routine backups to create and save copies of important files to external and offline storage devices. The backups should include immutable copies that will allow for system restoration in the event of a cybersecurity incident and minimise data loss. In addition, the backups should be regularly tested to ensure that the backup data can be recovered and restored in time to help the business recover from data corruption or destruction. Organisations are advised to follow the 3-2-1 rule when performing backups:

  • 3 copies of backups
  • 2 different media formats of backups
  • 1 set of backups stored off-site 

Develop Incident Response and Business Continuity Plans 

Organisations should develop an incident response plan and conduct exercises to test the plan before an actual ransomware attack takes place, which will allow organisations to swiftly and decisively implement a plan to mitigate the situation. Organisations should also develop Business Continuity Plans (BCPs) with measures tailored to their needs to minimise the impact on business operations in the event of an attack. 

Conduct Security Awareness for Employees 

Organisations should educate employees and regularly remind them to be alert to phishing and other forms of social engineering tactics. Even with cybersecurity measures in place, there may be instances of employees’ careless actions which provide opportunities for cyber criminals to exploit.

Organisations can also conduct periodic security awareness training to help mitigate risks.  Simulated phishing exercises are a well-established cybersecurity best practice and are widely considered to be effective as a type of experiential learning. These should complement existing employee education. Organisations should also put in place processes to regularly monitor the awareness and adoption levels of their employees. 

Keep Essential Data Only

Organisations should only collect, process, store and retain data that are essential for business, operational or legal requirements. By only storing and retaining necessary data, the impact to an organisation due to a data breach can be minimised. Furthermore, additional resources required to protect these unnecessary data can be avoided by simply not collecting them in the first place. Some data minimisation practices include: 

  • Minimise collection of personal data
  • Collect information on personal identifiers (e.g. national identification number) only when absolutely necessary
  • Avoid continuous automatic collection of personal data
  • Avoid repeatedly collecting the same data at different stages of an interaction
  • Be aware of metadata (e.g. EXIF data in image files) embedded within files. Consider not collecting such data or removing them if not needed
  • Be aware of caching information in temporary data stores and to regularly clear caches
  • Ensure archival data past its retention period are diligently removed 

Should you pay the ransom? 

If your organisation’s systems have been compromised with ransomware, we do not recommend paying the ransom and advise you to report the incident immediately to the authorities. Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data. Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims.

Restore your systems and data from your backups. If you do not have backups to restore from, you can search for decryption tools from reputable sources (e.g. https://www.nomoreransom.org/en/decryption-tools.html). 

Additional Resources 

One-Stop Ransomware Portal:
https://go.gov.sg/rwportal

SingCERT Ransomware Advisory: 
https://www.csa.gov.sg/docs/default-source/publications/singcert/pdfs/singcertadvisory-protect-your-systems-and-data-from-ransomware-attacks.pdf 

SingCERT Ransomware Response Checklist: 
https://www.csa.gov.sg/docs/default-source/publications/singcert/pdfs/ransomwareresponse-checklist.pdf 

PDPC Guides to Protect Against Data Breaches: 
https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/tech-omnibus/howto-guard-against-common-types-of-data-breaches-handbook.pdf 

https://www.pdpc.gov.sg/Help-and-Resources/2021/08/Data-Protection-Practicesfor-ICT-Systems 

https://www.pdpc.gov.sg//-/media/Files/PDPC/PDF-Files/Other-Guides/Cloud-DataBreach-infographic-pdf.pdf?la=en 

No More Ransom Initiative: 
https://www.nomoreransom.org 

MITRE ATT&CK Framework: 
https://attack.mitre.org/matrices/enterprise 

Other References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
https://cyberint.com/blog/research/akira-ransomware-what-soc-teams-need-to-know/


Annex A - MITRE ATT&CK Techniques

The table below illustrates Akira’s observed tactics and techniques mapped to the MITRE ATT&CK framework for Enterprise.

20240607_joint_advisory_on_akira_ransomware 2

20240607_joint_advisory_on_akira_ransomware25

20240607_joint_advisory_on_akira_ransomware
Annex B - Indicators of Compromise (IOCs)

Akira Command Line Parameters
20240607_joint_advisory_on_akira_ransomware 3

Files Affiliated with Akira (SHA-256)

20240607_joint_advisory_on_akira_ransomware 4
Files Affiliated with Akira (MD5)
20240607_joint_advisory_on_akira_ransomware 5
Akira Ransom Note (example)

20240607_joint_advisory_on_akira_ransomware 6

 


SINGAPORE POLICE FORCE
CYBER SECURITY AGENCY SINGAPORE
PERSONAL DATA PROTECTION COMMISSION
07 June 2024 @ 3:15 PM
Hover to toggle social media icons SHARE
Hover to toggle social media icons SHARE