Akira ransomware pivots back to double extortion, C++ code

The Akira ransomware-as-a-service (RaaS) gang seems to be returning to its older tactics after experimenting with pure extortion and a new encryptor over the past year.

Akira’s latest tactics were explored in a blog post by Cisco Talos researchers published on Monday. The researchers provided a timeline of the group’s recent movements, including an apparent shift from double extortion to pure extortion attacks around late 2023 and early 2024.

“We assess with low to moderate confidence that this shift was due in part to the developers taking time to further retool their encryptor,” the researchers wrote.

The apparent retooling came in the form of the Rust-based “Akira v2,” an encryptor for ESXi systems used since at least January 2024. This version uses the rust-crypto 0.2.36 library crate for encryption processes, while the original Akira ransomware is written in C++ and uses the Crypto++ library for its encryption processes, the researchers explained.

The Akira v2 ESXi encryptor adds the file extension .akiranew to encrypted files, while the older version uses the extension .akira. Later versions of Akira v2 uploaded to VirusTotal showed continued development of the newer encryptor, including modifications that extended the malware’s command line argument capabilities.

Akira affiliates used Akira v2 to target Linux environments, along with another Rust-based encryptor called Megazord for Windows systems, throughout early 2024. However, around early September 2024, new samples of Akira ransomware written in C++ began to appear in the wild, while the prevalence of Megazord and Akira v2 appeared to gradually decrease, the researchers said.

The newer C++ version of Akira shows similarities to the pre-August 2023 versions of Akira but also includes some updates for both its Windows and Linux variants. Additionally, the newer version uses a faster ChaCha8 algorithm for encryption compared with Akira v2, using fewer quarter-round operations to prioritize swiftness.

The researchers note that the “cross-platform consistency” of the C++ version between Windows and Linux operating systems could be one factor in the group’s decision to pivot back to its older ransomware tactics.

“It also demonstrates that the developers remain highly adaptable, willing to reemploy tried-and-tested techniques when necessary to ensure operational stability. Pragmatic adaptability is providing significant advantages for ransomware groups operating in a dynamic threat landscape, as it allows them to maintain a robust and reliable codebase while continually seeking new ways to evade detection and enhance functionality,” the Cisco Talos researchers wrote.  

Which vulnerabilities are targeted by Akira ransomware in 2024?

The Cisco Talos report also describes Akira’s attack chain, including the vulnerabilities the group leverages for both initial access and post-exploitation activity.

Akira commonly uses compromised VPN credentials for initial access, but also appear to be targeting network appliances vulnerable to the critical SonicWall SonicOS RCE flaw tracked as CVE-2024-40766 and the critical Fortinet FortiClientEMS SQL injection flaw tracked as CVE-2023-48788.

The researchers have also observed Akira threat actors gaining initial access by compromising the Cisco AnyConnect SSL VPN and then using a combination of the flaws tracked as CVE-2020-3259 and CVE-2023-20263 to achieve arbitrary code execution.

For post-intrusion privilege escalation, lateral movement and persistence, Akira is suspected to use the vulnerability tracked as CVE-2023-20269 in the remote access VPN feature of the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, the VMware ESXi authentication bypass flaw tracked as CVE-2024-37085 and the Veeam Backup and Replication flaw tracked as CVE-2024-40711 in its recent attacks.

In one attack against a Latin American airline in June 2024, an Akira affiliate is suspected to have used the Veeam Backup and Replication flaw tracked CVE-2023-27532 to obtain encrypted credentials from the configuration database and establish a foothold on the victim machine.

“As Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new vulnerabilities for initial access, adapting their tactics in tandem,” the researchers wrote.