Akira Ransomware
Description
In one of our last incident response cases, we came across a ransomware attack. Looking at the ransom note, we quickly noticed that the mentioned ransomware group was Akira.
First of all, we are not friends! In such a note, the victim can read what threat actors want and how to reach them.
Below, can you find the ransomware file, nooo just kidding. 😬
You will find my personal malware analysis of this binary. The file we are talking about is called w.exe because it’s a Windows binary. TA (threat actors) have also used a binary for ESXi called, let’s guess… ./e to encrypt all VMs
Static Analysis
Detect it easy
Let’s open up the file first with the tool detect it easy and see what kind of information we can get from this file.
- SHA 256:
4bfe889e28c2cb1bced7e7fde31525f39d596589ef2756c7a65bc3664091efe0 - It is a
64-bitbinary compiled with Microsoft Visual C/C++ - It has a timestamp of
2023-09-29 14:15:51. - It has a size of
969.00KiB - It has an entropy of
6.44858, which isn’t packed.
Let’s move to Floss, trying to get some strings out of this file.
Floss
With a minimum length of 8 we will run floss against the binary with the following command:
1floss -n 8 .\w.exe
Floss does an incredible job extracting the strings out of the files. Let’s have a look at what we have got.
FLARE FLOSS RESULTS:
We have a few floss.results from 167 functions:
INFO: floss.results: spoolsv.exe
INFO: floss.results: explorer.exe
INFO: floss.results: sihost.exe
INFO: floss.results: fontdrvhost.exe
INFO: floss.results: LogonUI.exe
INFO: floss.results: SearchUI.exe
INFO: floss.results: lsass.exe
INFO: floss.results: csrss.exe
INFO: floss.results: smss.exe
INFO: floss.results: winlogon.exe
INFO: floss.results: services.exe
INFO: floss.results: conhost.exe
INFO: floss.results: System Idle Process
INFO: floss.results: Secure System
INFO: floss.results: Registry
INFO: floss.results: Memory Compression
INFO: floss.results: wininit.exe
INFO: floss.results: 96167439
INFO: floss.results: 96167439
INFO: floss.results: 4157100f
INFO: floss.results: 96216591
INFO: floss.results: powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
There are some interesting strings, but one which catches my eye right away is this hardcoded PowerShell command:
1powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
The command is intended to remove the shadow copy of the host where the ransomware is running.
Scrolling down in floss we found a lot of exciting strings.
Below a few of them:
- file too large
- filename too long
- host unreachable: I will explain later on in the post why this is important to know
- invalid argument: the binary allows to give some argument
- network down: there are some capabilities to check or run the ransomware remotely
- network unreachable
- Failed to make full encrypt! (
- Failed to make spot encrypt! (
- Failed to make part encrypt! (
- file rename failed. System error:
- Failed to write header! (
- akira_readme.txt: the ransom note
- Lots of keyboard checks
- This is local disk:
- This is network disk:
- This is network path:
- Not allowed disk:
- --encryption_path
- --share_file
- --encryption_percent
- -localonly
- $RECYCLE BIN: maybe to remove some stuff from the host
- Trend Micro: most probably, the ransomware is checking if Trend Micro is installed on the host
- ProgramData: where the ransomware was placed, at least in my case
These are significant pieces of information that will give us to know how this executable works. Sometimes, you can even find IP addresses or URLs in there. In this case, this binary has remote capabilities to encrypt across the network or even to share files, which can be used to exfiltrate company data.
Let’s move further with our static analysis.
Capa
capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
I have run capa against the ransomware without any paramenters, like -v or -vv which will show you also the memory regions. I will check those stuffs on PEStudio or even on Cutter.
I basically use capa to check what kind of capabilities has this binary. As well as to check if I missed some Mittre Att&ck Tactic and Technique. Below the result of my search:
As you might see there are a few capabilities for encodingand encryption as well as for file manipulation.
I think now it is time to move on to PEStudio and get a more deeper understanding of this binary.
PEStudio
Once we have put the file into PEStudio the following information appears to us:
![[CleanShot 2023-11-08 at [email protected]]]
So, let’s have a look, at what we find. There is already some interesting information marked in red. > indicators (file > extension > count) which look like this:
Sorting by the flags, we can quickly identify a few interesting indicators like Sandbox Evasion with the value SleepEx
SleepEx is used to suspend the execution of the current thread for a set time. This function is commonly used for time-based evasion by adding delays in the code.
or GetLogicalDriveStrings(W)
GetLogicalDrives is used to retrieve a bitmask representing the currently available disk drives. This function can be used to emumerate all drives / mounted drives.
Which is, according to https://malapi.io, associated with Ransomware attacks.
Sorting instead by size, which could be very interesting, we can then identify the hardcoded ransom note:
Doing a static analysis of a binary PEStudio can be a very powerful application to help you move things along. So, that wraps up our basic static analysis section; we will move into the basic dynamic analysis, which means we will start running the binary and recording what we see.
VirusTotal
Before we start with the dynamic analysis, I want to show you the results of the VirusTotal scan of this binary. By the time of this post was public, there were no results on VT:
Dynamic Analysis
There needs to be more to show in Dynamic Analysis because of the sandbox evasion mechanism of the executable. In this case, I will jump to the IR section, where I will show you what we did and analysed in the case.
Incident Response
In an incident response case, the initial steps are critical. The first thing to do is to assess and define the nature and severity of the incident. There are steps like:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
- Communication
The initial steps are crucial in setting the foundation for a structured and effective response to the incident. Already in the identification phase, thankfully, to the event of execution/UserAssist artefacts, we quickly identify a file w.exe being executed from a staging directory C:\ProgramData .
We also found the RDP failed logon of a Windows 10 host, DESKTOP-OPDHSQG and Win10 with the user, wind, most probably from the threat actors. Threat actors used valid VPN credentials to connect to the company network. Based on the negotiation with the threat actors, we got the information that they had bought the credentials from the Darknet. During the analysis, we couldn’t confirm this information because, on the one hand, the customer’s VPN solution had an RCE vulnerability. On the other hand, we didn’t have any Logs to check if the VPN solution suffered an attack.
We also found hundreds of user access logs targeting the active directory from multiple domain users. We assumed this was a recon phase, where the TA checked whether the gained credentials were still valid. So, TA used the VPN vulnerability to get various domain users, which were checked afterwards. Because of a lack of logs, we couldn’t confirm the initial access.
TA (Threat Actors) moved then laterally to several internal systems until they reached the important ones: DC, Backups and ESXi. They shouted down the VMs on the ESXi and ran the ransomware on all ESXi servers and simultaneously on the initial access and backup hosts.
According to the information we have got from the TA about privilege escalation, they have used a Kerberoasting attack to gain domain admin. The user they used initially was a domain admin, which was not kerberoastable. So there was a mismatch between what the TA told us and what we have found. It might also be possible that TA has got the domain admin abusing the VPN solution vulnerability.
Staging Directories
The “staging directories” are directories in which the attacker stores various tools and scripts for execution. These are usually the same throughout the attack, as the attacker commonly uses the same technique during an attack. A check of these storage locations can quickly uncover malicious content.
| Directory | File Type |
|---|---|
| C:\Users\Administrator\Desktop | Executable |
| %ProgramFiles%\Advanced IP Scanner | Executable |
| C:\Users<compromised users>\Downloads | Executable |
| C:\ProgramData | Executable |
| SYSVOL\ProgramData | Executable |
| C:\ProgramData\Log-dd-mm-yyyy-hh-mm-ss.txt | Logfile |
Tools
Below you will find a list of the tools used by the attacker during the incident. The attacker either left these tools behind or we have found evidence that they were used.
| Tool Name | Utilisation |
|---|---|
| w.exe | Akira Ransomware |
| MobaXterm | Multifunctional tool for remote connection to ESXi servers |
| Advanced IP Scanner | Network Scanner |
| AnyDesk | Remote Management Tool |
Ransomware functionality
One of the key functions of ransomware is to encrypt files on the victim’s system, rendering them inaccessible without a decryption key. It usually targets a wide range of file types, including documents, images, videos, and more.
Because we couldn’t find any trace of the w.exe being executed on those hosts, which were encrypted, we started to analyse this file, and we could see some more capabilities that can be used while running this binary. While we analysed the RDP Cache of the systems, where we found traces of this file, we could play a “puzzle” and figure out that this binary can also be run locally and remotely via SMB. Basically, if a remote machine was reachable on C$, D$ and so on, the TA could run the ransomware remotely on these network shares and encrypt all the content via SMB
This tool w.exe also creates a log file on the exact location where it starts. Thankfully to these logs we could find all encrypted hosts.
Detection
Detecting a ransomware attack involves a combination of tools, practices, and vigilance across different layers of a company’s infrastructure such as:
- Antivirus and Anti-Malware Software:
- Utilize robust antivirus and anti-malware solutions that can identify and quarantine known ransomware signatures. Regularly update these tools to stay protected against new threats.
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS):
- Implement IDS/IPS to monitor network traffic and detect anomalies or suspicious patterns that could indicate a ransomware attack.
- Behavioral Analysis Tools:
- Use tools that analyze the behavior of programs and processes to detect deviations from normal operations. These can help identify ransomware by observing its encryption behavior or file modification patterns.
- Endpoint Detection and Response (EDR):
- EDR solutions monitor endpoints for suspicious activities, providing detailed visibility into processes, file changes, and network connections. This helps in early ransomware detection.
- User Behavior Monitoring:
- Regularly monitor user activities and access patterns. Unusual file access, mass file modifications, or sudden access to unusual file types can be indicators of a ransomware attack.
- Backup and Recovery Solutions:
- Implement backup systems and monitor them for unexpected changes, such as large-scale file encryption, which could indicate a ransomware attack underway.
- Network Traffic Monitoring and Analysis Tools:
- Utilize tools that monitor network traffic for unusual or unexpected data flows. Ransomware often communicates with external servers; detecting this communication can signal a potential attack.
- Email Filtering and Phishing Detection:
- Advanced email filtering systems can prevent malicious attachments or links from reaching users. These solutions often include URL scanning and attachment analysis to detect ransomware distribution via phishing emails.
- Security Information and Event Management (SIEM):
- SIEM tools collect and analyze security data from various sources, providing a comprehensive view of the security landscape and aiding in the detection of ransomware activities.
- Threat Intelligence Feeds:
- Stay updated with threat intelligence feeds and indicators of compromise (IOCs) to proactively detect ransomware campaigns or new variants.
Effective detection involves a multi-layered approach, combining technological solutions with employee training, proactive monitoring, and a robust incident response plan. No single tool or method is foolproof, so a combination of these measures significantly enhances ransomware detection capabilities.
Indicator of Compromise
| Type | Indicator | Hash | Description |
|---|---|---|---|
| SHA256 | w.exe | 4bfe889e28c2cb1bced7e7fde31525f39d596589ef2756c7a65bc3664091efe | Windows Executable |
| MD5 | /e | a818b136a0ceb48651c6ee69f7c4dda6 | ESXi Executable |
Mitre Attack TTPs
| Category | MITRE ID | Description |
|---|---|---|
| Initial Access | T1078 | Valid Accounts: Uses compromised VPN credentials |
| T1190 | Exploit Public-Facing Application | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1078.002 | Valid Accounts: Domain Accounts |
| Credential Access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting |
| Discovery | T1135 | Network Share Discovery |
| T1046 | Network Service Discovery | |
| Lateral Movement | T1570 | Lateral Tool Transfer: Uses RDP to move laterally within the victim’s network |
| Impact | T1490 | Inhibit System Recovery: Deletes shadow copies to inhibit recovery |
| T1486 | Data Encryption for impact: Akira ransomware is used to encrypt files |