Skip to content

G1024 Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.5 Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.54 Akira operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.613

Item Value
ID G1024
Associated Names GOLD SAHARA, PUNK SPIDER, Howling Scorpius
Version 2.0
Created 20 February 2024
Last Modified 11 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD SAHARA 4
PUNK SPIDER 2
Howling Scorpius 7

Techniques Used

Domain ID Name Use
enterprise T1531 Account Access Removal Akira deletes administrator accounts in victim networks prior to encryption.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Akira uses utilities such as WinRAR to archive data prior to exfiltration.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Akira has used PowerShell scripts for credential harvesting and privilege escalation.3
enterprise T1486 Data Encrypted for Impact Akira encrypts files in victim environments as part of ransomware operations.61
enterprise T1213 Data from Information Repositories -
enterprise T1213.002 Sharepoint Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.4
enterprise T1482 Domain Trust Discovery Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Akira will exfiltrate victim data using applications such as Rclone.4
enterprise T1133 External Remote Services Akira uses compromised VPN accounts for initial access to victim networks.4
enterprise T1657 Financial Theft Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.61
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Akira has disabled or modified security tools for defense evasion.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location Akira has used legitimate names and locations for files to evade defenses.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Akira has used binary padding to obfuscate payloads.3
enterprise T1219 Remote Access Tools Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.45
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Akira has used RDP for lateral movement.3
enterprise T1018 Remote System Discovery Akira uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks.5
enterprise T1558 Steal or Forge Kerberos Tickets Akira have used scripts to dump Kerberos authentication credentials.3
enterprise T1078 Valid Accounts Akira uses valid account information to remotely access victim networks, such as VPN credentials.453

Software

ID Name References Techniques
S0552 AdFind 5 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S1129 Akira 83 PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Inhibit System Recovery Native API Network Share Discovery Process Discovery System Information Discovery Windows Management Instrumentation
S1194 Akira _v2 13
7 Create or Modify System Process Data Encrypted for Impact Execution Guardrails File and Directory Discovery Log Enumeration Service Stop
S0349 LaZagne 5 Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Keychain:Credentials from Password Stores LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping LSASS Memory:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Proc Filesystem:OS Credential Dumping Credentials In Files:Unsecured Credentials
S1191 Megazord 137 Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Log Enumeration Process Discovery Service Stop
S0002 Mimikatz 5 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0029 PsExec 5 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1040 Rclone 5 Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery

References

  1. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. 

  2. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024. 

  3. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. 

  4. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024. 

  5. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024. 

  6. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024. 

  7. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025. 

  8. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.