Tactics, Techniques and Procedures for  Akira



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Credential Access (TA0006) Discovery (TA0007) Lateral Movement (TA0008) Collection (TA0009) Exfiltration (TA0010) Command and Control (TA0011) Impact (TA0040)
Valid Accounts (T1078)
Utilizes compromised VPN credentials.
Command and Scripting Interpreter (T1059)
Accepts parameters for its routines such as "-n 10" (for encryption percentage) or "-s (filename)" (for shared folder encryption).
Create Account: Domain Account (T1136.002)
Upon initial access, Akira operators create a domain account on the compromised system.
Valid Accounts: Domain Accounts (T1078.002)
Utilizes valid domain accounts for privilege escalation.
Impair Defenses: Disable or Modify Tools (T1562.001)
Usage of PowerTool or a KillAV tool abusing the Zemana AntiMalware driver to terminate AV-related processes was observed.
OS Credential Dumping: LSASS Memory (T1003.001)
Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory.
System Information Discovery (T1082)
Uses PCHunter and SharpHound to collect system information.
Lateral Tool Transfer (T1570)
Uses RDP to move laterally within the victim's network.
Archive Collected Data: Archive via Utility (T1560.001)
Utilizes discovery to gather information for exfiltration.
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
Uses RClone to exfiltrate stolen information via a web service.
Remote Access Software (T1229)
Utilizes AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems.
Inhibit System Recovery (T1490)
Deletes shadow copies to inhibit recovery.
Valid Accounts: Domain Accounts (T1078.002)
Operators use obtained domain accounts for access.
Command and Scripting Interpreter: PowerShell (T1059.001)
Operators use PowerShell to launch commands to continue operations.
Create Account: Local Account (T1136.001)
Upon initial access, Akira operators create a local account on the compromised system.
Privilege Escalation (TA0004)
Utilizes local domain accounts for privilege escalation.
Modify Registry (T1112)
Uses commands in its operation to modify registries.
Discovery (TA0007)
Uses AdFind, Windows net command, and nltest to collect domain information.
Remote Services: Remote Desktop Protocol (T1021.001)
Utilizes remote services for accessing accounts and machines through remote services.
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
Utilizes FileZilla or WinSCP to exfiltrate stolen information via FTP.
Data Encrypted for Impact (T1486)
Akira ransomware is used to encrypt files.
External Remote Services (T1133)
Actors exploit CVE-2023-20269 remote service vulnerabilities.
System Services: Service Execution (T1059.002)
Akira ransomware uses service execution for persistence.
Remote System Discovery (T1018)
Uses Advanced IP Scanner and MASSCAN to discover remote systems.
Exploit Public-Facing Application (T1190)
Targets vulnerable CISCO devices via CVE-2023-20269.
Command and Scripting Interpreter: Windows Command Shell (T1059.003)
Operators use CMD to launch commands to continue operations.
Windows Management Instrumentation (T1047)
Actors may use WMI to continue the attack.

This information is provided by Crocodyli or Ransomware.live