S1194 Akira _v2
Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akira _v2 is designed to target VMware ESXi servers and includes a new command-line argument set and other expanded capabilities.123
| Item | Value |
|---|---|
| ID | S1194 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 January 2025 |
| Last Modified | 11 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | |
| Akira _v2 can create a child process for encryption.1 | |||
| enterprise | T1486 | Data Encrypted for Impact | The Akira _v2 encryptor targets the /vmfs/volumes/ path by default and can use the rust-crypto 0.2.36 library crate for the encryption processes.23 |
| enterprise | T1480 | Execution Guardrails | Akira _v2 will fail to execute if the targeted /vmfs/volumes/ path does not exist or is not defined.2 |
| enterprise | T1083 | File and Directory Discovery | Akira _v2 can target specific files and folders for encryption.123 |
| enterprise | T1654 | Log Enumeration | Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems.23 |
| enterprise | T1489 | Service Stop | Akira _v2 can stop running virtual machines.123 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1024 | Akira | 12 |
| 3 |
References
-
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. ↩↩↩↩↩
-
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. ↩↩↩↩↩↩↩
-
Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025. ↩↩↩↩↩↩