THE AKIRA RANSOMWARE
Recently it was observed a new emerging ransomware named Akira. It is believed that the ransomware group started their campaign in late March of 2023 and within a short time period they already infected more than 16 organisations worldwide. The ransomware group also have their own retro styled TOR website where they publicly expose stolen data if the victim doesn’t pay the ransom. They also have a chat feature on their website to let the victims communicate with them using the unique ID from the ransom note.
Below Akira TOR domain address: [hxxps://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion]
Compile data stamp, that correspond to 22 days before detonation detected in a compromised infrastracture
Bin sections.
Commands:
during the pre-execution we can find evidences about flags that the artifacts permit to select to specify some values and perform actions.
--encryption_path > destination to be encrypted;
--share_file > wich share file;
--encryption_percent > iteration percentage of encryption power;
right before the encryption blob, the sample remove shadow copy via powershell.
Strings Selection:
in the meantime, the sample compare strings (that correspond to files extension) to understand wich encrypt and wich not (.dll .exe .sys .msi), in order to don’t interrupt the correct execution of the encryption process.
| .4dd | .ade | .cdb | .dbf | .dp1 | .exb | .fp5 | .idb | .kexis | .mpd | .ns4 | .pdb | .rsd | .sqlite | .udb | .xdb | .hjt | .vmdk | .bin | .accdb | .arc | .cpd | .dbc | .dlis | .epim | .fp4 | .itdb | .maf | .mwb | .nv2 | .pan | .rpd | .sql | .v12 | .abcddb | .kdb | .vmsn | .vmrs | .4dl | .adp | .cma | .dbt | .dsk | .fdb | .fpt | .ihx | .lwx | .mud | .nyf | .pnz | .sbf | .sqlitedb | .usr | .xmlff | .icr | .vmem | .avhd | .accde | .alf | .dad | .dbs | .dqy | .fcd | .fp7 | .jet | .mar | .ndf | .nwdb | .pdm | .sas7bdat | .sqlite3 | .vpd | .abx | .maw | .nvram | .avdx | .accdc | .ora | .dacpac | .dbx | .dtsx | .fmp | .gdb | .itw | .maq | .myd | .oqy | .qvd | .sdb | .temx | .vis | .abs | .lut | .vmsd | .vhdx | .accdt | .btr | .daschema | .dbv | .dsn | .fic | .frm | .kdb | .mav | .nrmlib | .odb | .qry | .scx | .tps | .wdb | .adn | .mdt | .raw | .iso | .accdr | .ask | .dadiagrams | .dct | .eco | .fmpsl | .gwi | .jtx | .mas | .nnt | .owc | .rctd | .sdf | .tmd | .vvv | .accdw | .mdn | .vmx | .vmcx | .adb | .cat | .db-shm | .dcb | .dxl | .fmp12 | .grdb | .kexic | .mdf | .ns3 | .orx | .rbf | .sdc | .trm | .wrk | .fm5 | .vhd | .subvol | | .accft | .bdf | .db3 | .ddl | .edb | .fp3 | .his | .kexi | .mdb | .ns2 | .p97 | .rodx | .spq | .trc | .wmdb | .db2 | .vdi | .qcow2 | .adf | .ckp | .db-wal | .dcx | .ecx | .fol | .hdb | .lgc | .mrg | .nsf | .p96 | .rod | .sis | .udl | .xld | .icg | .pvm | .vsv
Ransomware Extension:
encrypted files are now stored with additional extension .akira
Ransom Note:
each folder with an encrypted file will have fn.txt that is the malicious actor comunication file with the indication to speech about the ransom
Malware execution phases
Specimen activities can be splitted in two distinct phases: “Setup”, the first step wich are sets and initialized checks and values to proceed with the second step that correspond to the “Execution” to perform actions and impacts.
STEP 1 - initilizing CSP (cryptographic service provider):
load CSP library that implement crptography-related API. A cryptographic service provider (CSP) contains implementations of cryptographic standards and algorithms. At a minimum, a CSP consists of a dynamic-link library (DLL) that implements the functions in CryptoSPI (a system program interface). Most CSPs contain the implementation of all of their own functions.
The CryptAcquireContextW function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). This returned handle is used in calls to CryptoAPI functions that use the selected CSP.
szProvider can tell us more informations about the algorithm that can be used for the encryption process.
The malware uses the “Microsoft Enhanced RSA and AES Cryptographic Provider” (MS_ENH_RSA_AES_PROV) to create keys and to encrypt data with the RSA (CALG_RSA_KEYX) and AES (CALG_AES_256) algorithms.
STEP 2 - preparing the key
some malware authors hash the key, Akira ones add in the sample in plaintext
the use of the CryptGenRanom function that fills a buffer with random bytes of encryption is also observed.
STEP 3 - Process Killing
The ransomware is also capable of killing process which are registered resources with the windows restart manager, to encrypt the files used by them uninterruptedly, to achieve this it does the following:
First it calls wtsenumerateprocesses to find all the running processes and retrieve the PIDs which will then be compared with the list of Whitelisted process names and stores the PIDs of the whitelisted process.
Each file will be passed to a function which will start a restart manager session and register those files to restart manager, where RmGetList will be called which will return the list of process and services information that are using the file.
RmGetList() -> Gets a list of all applications and services that are currently using resources that have been registered with the Restart Manager session;
RmEndSession() ;
GetCurrentProcess();
GetProcessId();
RmShutdown() -> Initiates the shutdown of applications;
It then compares the PID of the current process and the whitelisted processes with the PID of the Process obtained from ‘RmGetList’, if there is a match found it will end the restart manager session, otherwise, it will forcefully shut down all registered processes that are using the file by calling ‘RmShutdown’ .
STEP 4 - encrypting the data
the keys are ready, the malware use CryptEncrypt to encrypt the data. With this API call we can understand exactly the start of the encryption blob.
A decryptor was recently developed by Avast researchers for this ransomware sample:
Therefore, a second enhanced version of the ransomware used by Threat Actors was observed.