Akira
Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entityAkira.Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services.Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-basedMegazord for targeting Windows andAkira _v2 for targeting VMware ESXi servers.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | Akira will execute PowerShell commands to delete system volume shadow copies.[1][2] |
| .003 | Command and Scripting Interpreter:Windows Command Shell | Akira executes from the Windows command line and can take various arguments for execution.[1] | ||
| Enterprise | T1486 | Data Encrypted for Impact | Akira can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.[1][2][3] | |
| Enterprise | T1083 | File and Directory Discovery | Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as | |
| Enterprise | T1490 | Inhibit System Recovery | Akira will delete system volume shadow copies via PowerShell commands.[1][2] | |
| Enterprise | T1106 | Native API | Akira executes native Windows functions such as | |
| Enterprise | T1135 | Network Share Discovery | ||
| Enterprise | T1057 | Process Discovery | Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.[1] | |
| Enterprise | T1082 | System Information Discovery | Akira uses the | |
| Enterprise | T1047 | Windows Management Instrumentation | Akira will leverage COM objects accessed through WMI during execution to evade detection.[1] | |