- Recent victims
- Cyberattacks in the press
- Ransomware Groups
- Negotiation Chats
- Ransom Notes
- Statistics
- Victims by country
- Cartography
- About
- Disclamer
- Contact us
| Initial Access (TA0001) | Execution (TA0002) | Persistence (TA0003) | Privilege Escalation (TA0004) | Defense Evasion (TA0005) | Credential Access (TA0006) | Discovery (TA0007) | Lateral Movement (TA0008) | Collection (TA0009) | Exfiltration (TA0010) | Command and Control (TA0011) | Impact (TA0040) |
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Valid Accounts (T1078) Utilizes compromised VPN credentials. |
Command and Scripting Interpreter (T1059) Accepts parameters for its routines such as "-n 10" (for encryption percentage) or "-s (filename)" (for shared folder encryption). |
Create Account: Domain Account (T1136.002) Upon initial access, Akira operators create a domain account on the compromised system. |
Valid Accounts: Domain Accounts (T1078.002) Utilizes valid domain accounts for privilege escalation. |
Impair Defenses: Disable or Modify Tools (T1562.001) Usage of PowerTool or a KillAV tool abusing the Zemana AntiMalware driver to terminate AV-related processes was observed. |
OS Credential Dumping: LSASS Memory (T1003.001) Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory. |
System Information Discovery (T1082) Uses PCHunter and SharpHound to collect system information. |
Lateral Tool Transfer (T1570) Uses RDP to move laterally within the victim's network. |
Archive Collected Data: Archive via Utility (T1560.001) Utilizes discovery to gather information for exfiltration. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Uses RClone to exfiltrate stolen information via a web service. |
Remote Access Software (T1229) Utilizes AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems. |
Inhibit System Recovery (T1490) Deletes shadow copies to inhibit recovery. |
|
Valid Accounts: Domain Accounts (T1078.002) Operators use obtained domain accounts for access. |
Command and Scripting Interpreter: PowerShell (T1059.001) Operators use PowerShell to launch commands to continue operations. |
Create Account: Local Account (T1136.001) Upon initial access, Akira operators create a local account on the compromised system. |
Privilege Escalation (TA0004) Utilizes local domain accounts for privilege escalation. |
Modify Registry (T1112) Uses commands in its operation to modify registries. |
Discovery (TA0007) Uses AdFind, Windows net command, and nltest to collect domain information. |
Remote Services: Remote Desktop Protocol (T1021.001) Utilizes remote services for accessing accounts and machines through remote services. |
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003) Utilizes FileZilla or WinSCP to exfiltrate stolen information via FTP. |
Data Encrypted for Impact (T1486) Akira ransomware is used to encrypt files. |
|||
|
External Remote Services (T1133) Actors exploit CVE-2023-20269 remote service vulnerabilities. |
System Services: Service Execution (T1059.002) Akira ransomware uses service execution for persistence. |
Remote System Discovery (T1018) Uses Advanced IP Scanner and MASSCAN to discover remote systems. |
|||||||||
|
Exploit Public-Facing Application (T1190) Targets vulnerable CISCO devices via CVE-2023-20269. |
Command and Scripting Interpreter: Windows Command Shell (T1059.003) Operators use CMD to launch commands to continue operations. |
||||||||||
|
Windows Management Instrumentation (T1047) Actors may use WMI to continue the attack. |
This information is provided by Crocodyli