Response to CISA Advisory (AA24-109A): #StopRansomware: Akira Ransomware

On April 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Netherlands’ National Cyber Security Centre (NCSC-NL) released a joint Cybersecurity Advisory (CSA) that disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with Akira ransomware, identified through FBI investigations and trusted third party reporting as recently as February 2024.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

Akira is a ransomware that emerged in March 2023 and is offered under the Ransomware-as-a-Service (RaaS) business model.

It is reported that this iteration of Akira is completely different from a previous ransomware strain with the same name that was active in 2017, even though they both append the .akira extension to encrypted files.

According to a report published by the Arctic Wolf Labs Team in July 2023, Akira has been linked to Conti ransomware due to code similarities, as both use similar routines such as string obfuscation and file encryption, and by avoiding the same file extensions.

The report states that when Conti’s source code was leaked, multiple adversaries used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators.

Akira’s operators use a website on the TOR network (with a .onion domain) where victims are directed to contact the attackers using a unique identifier found in the ransom message they receive, to initiate negotiations. If ransom demands are not met, the group will use this TOR-based site to list victims and any stolen information, as Akira steals victims’ critical data prior to encrypting devices and files.

According to reports, Akira operators provide victims the option to pay for either file decryption or data deletion; they don’t force victims into paying for both. Ransom demands for Akira are reported to range from 200,000 USD to over 4 million USD.

AttackIQ has released a new attack graph that emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Akira ransomware during recent activities with the aim of helping customers validate their security controls and their ability to defend against this worldwide threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors exhibited by a threat that continues to conduct worldwide ransomware activities.
  • Assess their security posture against activities focused on both encryption and exfiltration of sensitive information.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups that are currently focused on ransomware activities.

[CISA AA24-109A] #StopRansomware: Akira Ransomware

AA24-109A Attack GraphClick for larger

This attack graph emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by Akira ransomware during recent activities.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by the reports published by Darktrace on September 13, 2023, Trend Micro on October 5, 2023, and Trellix on November 29, 2023.

AA24-109A Attack GraphClick for larger

This stage starts immediately after the adversary has gained access by brute forcing through the Remote Desktop Protocol (RDP). Once accomplished, the adversary will attempt to acquire persistence in the system by creating an administrative account named itadm.

Subsequently, the adversary will seek to obtain information about local and domain accounts as well as details related to the network to which the compromised system belongs, listing Domain Controllers, Trusted Domains, and the Active Directory.

Create Account: Local Account (T1136.001): This scenario will create a new account with the name itadm using net user.

Permission Groups Discovery (T1069): This scenario will enumerate permission groups using the net localgroup and net group /domain commands.

Remote System Discovery (T1018): This scenario executes the nltest command to gather a list of domain controllers associated with a domain.

Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.

Remote System Discovery (T1018): This scenario will perform Active Directory discovery by leveraging the Adfind utility.

AA24-109A Attack GraphClick for larger

The second stage of this attack begins by downloading and saving a Kerberos Ticket dumper, which will be used to perform the Kerberoasting technique to acquire elevated privileges.

Then, the adversary will search for the Local Security Authority Subsystem Service (LSASS) in order to dump it in a MiniDump file, which will then be used by Mimikatz to acquire credentials. In case of failure, the adversary will resort to the credential stealer known as LaZagne.

Finally, the adversary will use the acquired credentials to move laterally to previously identified systems on the network via Remote Desktop Protocol (RDP).

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003): This scenario will implement the Kerberoasting technique, which allows an attacker to attempt to extract password hashes for accounts using their Service Principal Name (SPN) ticket.

Process Discovery (T1057): This scenario uses the Window’s built-in tasklist command to discover running processes, and the results are saved to a file in a temporary location.

OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then used to dump the credentials from that minidump file.

OS Credential Dumping (T1003): This scenario uses the open-source tool LaZagne to dump all possible credentials available on the host.

Browser Bookmark Discovery (T1217): This scenario will execute a PowerShell script that will iterate through each user profile on the system and attempt to flush the data from the WebCache log files back to the WebCacheV01 database using the esentutl utility. Once the data has been flushed, a copy of the database will be made to a temporary directory.

Remote Desktop Protocol (T1021.001): This scenario will attempt to move laterally to another previously discovered host through Remote Desktop Protocol (RDP) by using the dumped credentials.

AA24-109A Attack GraphClick for larger

The last stage begins with the deployment of Akira ransomware, which will first attempt to delete Volume Shadow Copies using WMI Objects. Next, it will retrieve information about the processor to proceed with the collection and encryption of files on the system.

Finally, once encryption has been achieved, the ransomware will exfiltrate the collected information via File Transfer Protocol (FTP) in order to support its double extortion efforts.

Inhibit System Recovery (T1490): This scenario will attempt to delete a recent Volume Shadow Copy created by the assessment template by using Get-WMIObject Win32_ShadowCopy.

System Information Discovery (T1082): This scenario executes the GetSystemInfo Native API call to retrieve information associated to the system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by Akira ransomware.

Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenarios to extend the emulation of the capabilities exhibited by Akira ransomware.

  • Password Brute-Force: This scenario can be configured to attempt to brute login using Remote Desktop Protocol (RDP) on remote systems with a username and password dictionary.
  • Dump Active Directory Database using ntdsutil.exe: This scenario will attempt to execute the ntdsutil.exe utility to dump the NTDS.dit file along with the SYSTEM and SECURITY registry hives.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

2a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Akira ransomware affiliates. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.

The post Response to CISA Advisory (AA24-109A): #StopRansomware: Akira Ransomware appeared first on AttackIQ.