• Language chooser
    • USA (English)
    • France (Français)
    • Italy (Italiano)
    • Latin America (Español)
    • Brazil (Portugués)
    • Germany (Deutsch)
    • Korea (한국어)
    • Japan (Beta) (日本語)

Akira Ransomware

Released: Apr 22, 2024


High Severity

Cisco Vendor

Ransomware Type


250+ Organizations Impacted, $42 Million Ransomware Toll

FortiGuard Labs continue to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA it has targeted over 250 organizations since the past year, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-20269
CVE-2020-3259

Background

First detected in March/April of 2023, this ransomware group primarily focuses on small to medium-sized businesses, driven by financial motives. Like other notorious ransomware, Akira utilizes familiar tactics such as Ransomware-as-a-Service and double extortion to maximize their profits. The ransomware uses virtual private network (VPN) service without multifactor authentication (MFA)- mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, external-facing services such as Remote Desktop Protocol, spear phishing, and the abuse of valid credentials. These credentials are typically acquired through brute force attacks or obtained from the dark web. Once inside, threat actors deploy various tools and malware to conduct reconnaissance, dump credentials, exfiltrate data, and move laterally within the network. Initial iterations of the Akira ransomware variant were coded in C++ and encrypted files with a .akira extension. However, from August 2023 onwards, certain Akira attacks transitioned to utilizing Megazord, featuring Rust-based code that encrypts files with a .powerranges extension. Akira threat actors persist in employing both Megazord and Akira, including the newer version, Akira_v2.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Fortinet has existing AV signatures and behaviour-based detections to detect and block Akira Ransomware, however it is always recommended to follow best practices and apply relavant patches to mitigate threat and reduce the likelihood/impact of ransomware incidents.

https://www.fortinet.com/resources/cyberglossary/how-to-prevent-ransomware



April 19, 2024: FortiGuard Labs released a Threat Signal

https://www.fortiguard.com/threat-signal-report/5426



April 18, 2024: The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint cyber security advisory (CSA):https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a



Feb 15, 2024: CISA added (CVE-2020-3259) Cisco ASA and FTD Information Disclosure Vulnerability to known exploited vulnerabilties catalog.



October 12, 2023: Fortinet released a detailed blog on Akira Ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira



Sep 13, 2023: CISA added (CVE-2023-20269): Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability to its known exploited vulnerabilties catalog.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • AV (Pre-filter)

  • Behavior Detection

  • Pre-execution

  • Post-execution

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Content Update

  • Playbook

RESPOND
  • Automated Response

  • Assisted Response Services

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Business Reputation

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
oast.me domain Active
f157090fd3ccd4220298c06ce8734361b724d80459592b1... file Active
170.130.165.171 ip Active
80.66.88.203 ip Active
094d1476331d6f693f1d546b53f1c1a42863e6cde014e2e... file Active
45.227.254.26 ip Active
oast.fun domain Active
d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad407684303... file Active
152.89.196.111 ip Active
91.240.118.29 ip Active
431d61e95586c03461552d134ca54d16 file Active
af95fbcf9da33352655f3c2bab3397e2 file Active
akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52... domain Active
c7ae7f5becb7cf94aa107ddc1caf4b03 file Active
d25890a2e967a17ff3dad8a70bfdd832 file Active
e44eb48c7f72ffac5af3c7a37bf80587 file Active
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4cs... url Active
1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f... file Active
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca9... file Active
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016... file Active
5c62626731856fb5e669473b39ac3deb0052b32981863f8... file Active
678ec8734367c7547794a604cc65e74a0f42320d85a6dce... file Active
6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed... file Active
7b295a10d54c870d59fab3a83a8b983282f6250a0be9df5... file Active
8631ac37f605daacf47095955837ec5abbd5e98c540ffd5... file Active
9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c765451... file Active
d0510e1d89640c9650782e882fe3b9afba00303b126ec38... file Active
637e28b38086ff9efd1606805ff57aaf6cdec4537378f01... file Active
302f76897e4e5c8c98a52a38c4c98443 file Active
9180ea8ba0cdfe0a769089977ed8396a68761b40 file Active
172.93.181.172 ip Active
samabasa.us domain Active
185.11.61.114 ip Active
162.35.92.242 ip Active
176.124.201.200 ip Active
2a81947f32ba46dbcbe9d867c97c6654f325eb61b5f87b3... file Active
739705079be36c8125d0e5b136e9220944a8ea5d563c345... file Active
akira12iz6a7qgd3ayp316yub7xx2uep76idk3u2kollpj5... domain Active
akira1991415@gmail.com email Active
https://akira12iz6a7qgd3ayp316yub7xx2uep76idk3u... url Active
akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5... domain Active
c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031... file Active
337d21f964091417f22f35aee35e31d94fc3f35179c36c0... file Active
35415d97038e091744e9cab3b88c78c1a7ca87f78d2b4a3... file Active
6192beb56de670de902193a33380e5eb0f3b4b2e3e848e7... file Active
67afa125bf8812cd943abed2ed56ed6e07853600ad609b4... file Active
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584ba... file Active
2084ab8f92a86a37a35879378610949e21ea7b503031365... file Active
25a6758df930b32eed548fca56735f0ddde442b5662e51c... file Active
27009c0abd2709cd5cac4c0135b8f3bed3229b092160163... file Active
2a9257c6c74e37d051f78ed5abaa620b71b27fa3604798a... file Active
2b28270c1675990a2c78b31faab547fb75948dd1c2b22e8... file Active
2e2ad6392e75d5a5155498c2a76cb373d17ca3ad4ba57c6... file Active
379ef7c4f6dfae8cc0c8556861ff41930b88c7d9b107a5d... file Active
3f4ceeada7ff021c30df1646437d2ab0e55997bbb281444... file Active
473326da3fff09ee3e486f5f39c090690437ac8bf8bdce5... file Active
4839fd081e720d7d5091274470679c120378196e1f4faf8... file Active
4aaa583a9c554ea8e73d4dee0d53eb12dda17df16388f96... file Active
4cb8365b18b1c319d374be0b9d219144c20fb8714e9cf34... file Active
7613fbb940f83173aea126da5cf4319943155f4df25fd2e... file Active
772eb611c9ca20b461536fd0bd87d553dcecf3f4c82e26c... file Active
82e25f32e01f1898ccce2b6d5292245759733c22a104443... file Active
8738ba49fcd520789569aea7bf7af890741a745c79ae2be... file Active
89f5f29cf6b5bcfc85b506fb916da66cb7fd398cf6011d5... file Active
8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6c... file Active
920384692233578a59fc8de2b0205fd9fb20bb0d75c1d5a... file Active
92072945358b605c024b9e3335fb33b82faf33048c56f55... file Active
b3f473b0fd752fcd8b0d5983366c4ccccdacdceb8d6ba25... file Active
c239dadd55b55b817fda5b0c2bb062adf399a5b78a8b328... file Active
cfbcea795524c69a6d28fd9e60e07437d8f2abd23812109... file Active
d371ee0aa4fa710c00173d296c999a5497a18b38c80095d... file Active
fb2433beb961839b36198e242d0dedb7fa85ab3e08a1141... file Active
194.38.22.53 ip Active
http://194.38.22.53/acb.xml url Active
148.72.168.13 ip Active
00141f86063092192baf046fd998a2d1 file Active
0885b3153e61caa56117770247be0444 file Active
2cda932f5a9dafb0a328d0f9788bd89c file Active
104.200.72.33 ip Active
104.200.72.33:22 ip Active
185.82.216.56 ip Active
185.82.216.56:22 ip Active
194.26.29.102 ip Active
http://cl4ipjpvtjs2kg0000104n3zw4wmnmyrz.oast.fun/ url Active
http://cl4ipjpvtjs2kg00001059ymw5s8gi88u.oast.fun/ url Active
http://cl4ipjpvtjs2kg0000106ko8jbccsmxn4.oast.fun/ url Active
http://cl4ipjpvtjs2kg000010mwm53qy4158io.oast.fun/ url Active
http://cl5hg2cve5gdok92sceg77fok3txptj33.oast.me/ url Active
aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd9... file Active
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2... file Active
131da83b521f610819141d5c740313ce46578374abb22ef... file Active
18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9... file Active
1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76a... file Active
2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2a... file Active
3298d203c2acb68c474e5fdad8379181890b4403d6491c5... file Active
5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f5... file Active
7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd... file Active
7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee48... file Active
8317ff6416af8ab6eb35df3529689671a700fdb61a5e643... file Active
892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb2... file Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0