The Akira ransomware gang has emerged as a major threat to businesses worldwide, using sophisticated tactics to breach corporate networks, encrypt files, and demand huge ransoms.

According to reports, the group began its operations in March 2023 and has already targeted at least sixteen companies across various industries, including education, finance, real estate, manufacturing, and consulting.

Although a previous ransomware variant called Akira emerged in 2017, it is important to note that the current operations are not believed to be related to the earlier version.

The Akira Encryptor

The Akira Ransomware executes a PowerShell command to delete Windows Shadow Volume Copies and proceeds to encrypt files with various extensions.

Some of the file extensions targeted by the ransomware include:

.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx.

As it encrypts files, Akira ransomware selectively avoids encrypting files found in specific directories such as Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. It also excludes encrypting files with .exe, .lnk, .dll, .msi, and .sys file extensions, which belong to Windows system files.

To encrypt files, the ransomware appends the .akira extension to each encrypted file’s name. It uses the Restart Manager API on Windows to close processes or shut down Windows services that may be preventing encryption due to file locks.

Additionally, every folder on the infected device contains a ransom note named akira_readme.txt that explains what happened to the victim’s files and provides links to the Akira data leak site and negotiation site.

Data Leak Site Used for Double Extortion

Akira ransomware group follows a typical modus operandi of breaching a corporate network and spreading laterally to other devices.

The attackers then seek Windows domain admin credentials to deploy the ransomware across the entire network. However, before encrypting files, they extract sensitive corporate data to strengthen their extortion attempts, threatening to expose the data publicly if the ransom is not paid. In addition, the Akira gang has gone the extra mile to create a unique data leak site. The site has a retro appearance, allowing visitors to navigate by entering commands. This interface design gives the impression that the hackers are highly skilled and reinforces their reputation as a significant threat.

As of the latest report, Akira has exposed the data of four companies on their data leak website, with the leaked data size ranging from 5.9 GB for one company to as high as 259 GB for another. The ransom demand varies from $200,000 to several million dollars.

Although experts are analyzing the ransomware for any vulnerabilities, it is still unclear if a free decryptor can recover files.