Akira: The New Ransomware
Akira: The New Ransomware

Akira, a new ransomware operation, has been attacking corporate networks, encrypting files, and demanding million-dollar ransoms. This ransomware operation took a start in March 2023. It is already disturbing networks of sixteen companies in various industries such as finance, education, real estate, manufacturing, and consulting.

The Akira Encryptor – Akira ransomware

Akira ransomware deletes Windows Shadow Volume Copies on the device and encrypts files. While encrypting, it skips files found in the Windows folders, Recycle Bin, System Volume Information, Boot, and ProgramData. Additionally, it avoids encrypting Windows system files with exe, dll, lnk, msi, and sys file extensions.
When encrypting files, the ransomware changes the file name by appending the akira extension. It also uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.

Negotiations and Data Leaks

The Akira gang provides each victim with a unique negotiation password, which the victim can use to communicate with the ransomware gang. Unlike most ransomware operations, Akira’s negotiation site only includes a chat system that allows the victim to negotiate with the ransomware gang. Each computer folder contains a ransom note named akira_readme.txt, providing information on what happened to a victim’s files and links to the Akira data leak site and negotiation site.

Before encrypting files, the Akira gang steals corporate data, which they use as leverage in their extortion attempts, threatening to release it publicly if a ransom is not paid. To this end, the Akira gang put a lot of effort into their data leak site, giving it a retro look where visitors can navigate it using commands.

To date, Akira has leaked data for four victims, and the size of the leaked data ranges from 5.9GB to 259GB. The ransom demands vary, starting at $200,000 to millions of dollars, depending on the victim. If the victim does not require a decryptor and only wants to prevent the leaking of stolen data, the ransomware gang is willing to lower the ransom amount.

Conclusion

The Akira ransomware operation remains a significant threat to companies worldwide. Experts are currently analyzing the ransomware operation for weaknesses, and while negotiations are ongoing, paying the ransom is not advisable until a free decryptor can recover files. Unternehmen are advised to implement various cybersecurity measures to safeguard their networks, such as keeping their software updated and backing up their files regularly.