Meet Akira, The Latest Ransomware Gang On The Block

A new ransomware gang named Akira has been observed by the MalwareHunter Team since March targeting at least 16 corporate networks worldwide in various industries including education, finance, real estate, manufacturing, and consulting.

Akira uses the Windows Restart Manager API to close processes or shut down Windows services that may be preventing encryption by keeping a file open, allowing for more impactful file encryption.

Once executed, Akira will delete Windows Shadow Volume Copies, skip files found in the Recycle Bin, System Volume Information, Boot, ProgramData, and files with .exe, .lnk, .dll, .msi, and .sys file extensions, append the targeted file names with ‘.akira’ and drop a ransom note in each file with links the data leak and negotiation site.

Unlike others, the negotiation site simply includes a chat system. Demands range from $200,000 to millions of dollars, but the gang is also willing to lower ransoms for those who do not require a decryptor, and just want to prevent the leaking of stolen data.

A sample of the Akira ransomware was discovered by the MalwareHunterTeam, who shared it with BleepingComputer for analysis.

Roy Akerman, Co-Founder & CEO, Rezonate had this comment:

   “The use of the Windows Restart Manager API is a common tool groups like REvil, SamSam and LockerGoga have been using for quite some time. Conversations about paying the ransom must stop as this only contributes to more Ransomware and new malicious research to improve techniques, not to mention the impact on business data and business operation. Organizations must prioritize solutions that prevent known exploitation of services, allow data recovery that is not solely dependent on shadow copies and limit malware spread with strict least privilege identity and access practices.

Clearly this adds yet another group of bad actors to the list of things that defenders have to worry about. Which makes sense as ransomware is a very profitable activity at the moment. Hopefully any and all tools that stops these bad actors from getting a big payday are being employed by defenders so that ransomware becomes less profitable going forward.

Leave a Reply

%d bloggers like this: