CERT-In flagged a ransomware
Source: By Bijin Jose: The Indian Express
Earlier this month, the central government’s Computer Emergency Response Team (CERT-In) issued an advisory flagging the emergence of a new ransomware called Akira. The Gurgaon police have also raised an alert about Akira.
Ransomware is essentially a kind of malware — software used to gain unauthorised access to systems to steal data. This data can then be used by cyber criminals to demand a ransom.
Akira targets computer systems that run on Windows and Linux operating systems and is known to spread laterally across networks. According to the advisory issued by the government, Akira steals personal data, encrypts it, and later extorts money from the victims. In case a user refuses to pay, the ransomware actors threaten to release their data on the dark web.
What is Akira?
Akira is a new family of ransomware that was used for cyber attacks in the US and Canada in March this year. This is different from the Akira ransomware that was flagged by Microsoft Defender Antivirus in 2017. In the US, the ransomware was reported to actively target several organisations and expose their sensitive data.
Akira uses a double-extortion technique to exfiltrate and encrypt data to increase the chances of extracting money from its victims. It was first flagged in April, and a majority of its victims are from the US. The reason you are hearing about Akira right now is because of the number of organisations that it has impacted in the US and the latest advisory from the government.
Based on a report on arcticwolf.com on 26 July, the Akira leak site has compromised at least 63 organisations since its inception. As many as 80 per cent of the victims are small to medium-scale businesses.
How is Akira different from other ransomware?
Their routine includes exfiltrating data from hacked networks, then triggering encryption and posting a ransom demand. Reportedly, once the gang is convinced that it has stolen enough data to extort money from the victim, they deploy Akira’s payload.
They Delete Windows Shadow Volume copies (a technology by Microsoft Windows that creates backup copies) from the devices using a PowerShell command: essential text-based instructions used to perform tasks, and manage systems, files, and settings. After using the PowerShell command, the ransomware proceeds to encrypt a wide range of data file types and adds ‘.akira’ extension to them.
What does Akira want?
Companies that do not have secure backups to restore files may find themselves in a soup. As per reports, Akira drops a ransom note in each folder where it has encrypted the files. The ransom note tells the victim that they need to enter a negotiation to restore their data.
“Dealing with us you will save A LOT due to we are not interested in ruining you financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal,” reads a purported akira_readme file or ransom note that has been circulating on the internet.
Akira also offers a security report upon payment, in which the hackers claim to reveal the weaknesses that allowed them to steal the data. “The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of great value, since NO full audit of your network will show you the vulnerabilities that we’ve managed to detect and use in order to get into, identify backup solutions and upload your data,” read the note.
What’s with the ’80s aesthetics?
According to reports, the leak site of Akira seems straight out of the retro era. The site is distinctive in its use of old-school neon green against a black backdrop theme. Interestingly, there are no toggle buttons on the site and users (or victims) are expected to type in commands rather than navigate through drop-down menus or radio buttons seen on usual websites.
Some of the reports suggest that the Akira ransomware homepage also has a ‘news’ command that gives access to the list of as many as 16 victim organisations that were targeted by the group as of May. The information stolen from each organisation is summarised and listed corresponding to the company names on the page.
What is the impact of Akira?
The ransomware can lead to the loss of valuable data. In the case of organisations, an attack by Akira can lead to a loss of reputation and integrity. Besides, sensitive information is likely to be lost, misused, or sold on the dark web. It effectively disrupts the operations of any organisation whose network it targets. Moreover, Akira can cause massive financial losses. A news report cited that the ransom amount could go up to a whopping $200,000.
How to safeguard yourself from Akira?
To combat Akira, companies need to upgrade their cybersecurity practices. They should conduct regular backup practices and secure backups offline or even on a separate network. Experts advise turning on automatic software updates on computers, laptops, smartphones, and other connected devices. Users should refrain from opening suspicious links, and email attachments without checking their authenticity.
If someone is indeed attacked, the immediate countermeasures include: detaching infected devices on the same network, disconnecting all external storage devices, and one should also inspect system logs for suspicious activities.