FOCUS MODE
EXTRACT IOC
MINDMAP
0Trash

AhnLab EDR Utilization in Detecting Akira Ransomware Attack Case – ASEC

iocOne
AhnLab EDR Utilization in Detecting Akira Ransomware Attack Case – ASEC
Akira is a relatively new ransomware actor active since March 2023, known for infiltrating organizations, encrypting files, and stealing sensitive information for negotiation purposes. The ransomware attacks have significantly impacted numerous sectors, as demonstrated by statistics from 2024. Affected: organizations, information technology, cybersecurity

Keypoints :

  • Akira ransomware has been active since March 2023.
  • It encrypts files and steals sensitive information for ransom negotiations.
  • Attacks leverage vulnerabilities in various software, particularly affecting Fortinet and Cisco products.
  • Utilizes sophisticated methods for credential access and lateral movement within network systems.
  • AhnLab EDR is used for detection and analysis of Akira’s attack methods.
  • Persistence is maintained by creating hidden accounts in the infected systems.
  • Encrypted files are tagged with the “.akira” extension, and ransom notes are generated.
  • Exfiltration techniques often involve compressing sensitive data and transmitting it via FTP or cloud storage.

MITRE Techniques :

  • Discovery (TA0007) – Techniques like Remote System Discovery (T1018) and Network Service Discovery (T1046) are used to gather information about network systems.
  • Credential Access (TA0006) – OS Credential Dumping techniques are employed, including LSASS Memory Dumping (T1003.001) and Security Account Manager (T1003.002).
  • Command and Control (TA0011) – Remote Access Software (T1219) and Proxy (T1090) are used to communicate with C&C servers.
  • Persistence (TA0003) – The Create Account (T1136) technique is utilized to maintain access through additional accounts.
  • Defense Evasion (TA0005) – Accounts are hidden using the Hide Artifacts: Hidden Users (T1564.002) technique.
  • Lateral Movement (TA0008) – Techniques such as Remote Services: SMB/Windows Admin Shares (T1021.002) are used for moving within networks.
  • Collection (TA0009) – Archive Collected Data (T1560.001) technique for compressing sensitive data before exfiltration.
  • Exfiltration (TA0010) – Exfiltration Over Alternative Protocol (T1048.003) is used for data extraction via unencrypted means.
  • Impact (TA0040) – Data Encrypted for Impact (T1486) is applied to encrypt files, leading to user ransom demands.

Indicator of Compromise :

  • [Domain] akira_readme.txt
  • [File Extension] .akira
  • [Technique] WinRAR
  • [Tool] AnyDesk
  • [Tool] Radmin

Full Story: https://asec.ahnlab.com/ko/86186/

Views: 6

Tags: BACKUP, LATERAL MOVEMENT, VPN, PROXY, FINANCIAL, CLOUD, TOOL, EDR
en en