S1191 Megazord
Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.123
| Item | Value |
|---|---|
| ID | S1191 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 January 2025 |
| Last Modified | 11 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | |
Megazord can execute multiple commands post infection via cmd.exe.3 |
|||
| enterprise | T1486 | Data Encrypted for Impact | Megazord can encrypt files on targeted Windows hosts leaving them with a “.powerranges” file extension.123 |
| enterprise | T1083 | File and Directory Discovery | Megazord can ignore specified directories for encryption.3 |
| enterprise | T1654 | Log Enumeration | Megazord has the ability to print the trace, debug, error, info, and warning logs.3 |
| enterprise | T1057 | Process Discovery | Megazord can terminate a list of specified services and processes.3 |
| enterprise | T1489 | Service Stop | Megazord has the ability to terminate a list of services and processes.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1024 | Akira | 123 |
References
-
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. ↩↩↩
-
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. ↩↩↩
-
Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025. ↩↩↩↩↩↩↩↩