S1129 Akira
Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.213
| Item | Value |
|---|---|
| ID | S1129 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 04 April 2024 |
| Last Modified | 11 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Akira will execute PowerShell commands to delete system volume shadow copies.21 |
| enterprise | T1059.003 | Windows Command Shell | Akira executes from the Windows command line and can take various arguments for execution.2 |
| enterprise | T1486 | Data Encrypted for Impact | Akira can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.213 |
| enterprise | T1083 | File and Directory Discovery | Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.23 |
| enterprise | T1490 | Inhibit System Recovery | Akira will delete system volume shadow copies via PowerShell commands.21 |
| enterprise | T1106 | Native API | Akira executes native Windows functions such as GetFileAttributesW and GetSystemInfo.2 |
| enterprise | T1135 | Network Share Discovery | Akira can identify remote file shares for encryption.2 |
| enterprise | T1057 | Process Discovery | Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.2 |
| enterprise | T1082 | System Information Discovery | Akira uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.2 |
| enterprise | T1047 | Windows Management Instrumentation | Akira will leverage COM objects accessed through WMI during execution to evade detection.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1024 | Akira | 23 |
References
-
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. ↩↩↩↩
-
Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. ↩↩↩↩