New Akira Ransomware Threatens Corporate Networks for Million-dollar Ransom

The infection stage

• After the launch, Akira executes a PowerShell command that deletes the Windows Shadow Volume Copies present on the machine.
• It starts encrypting the files found on the hard drive folders, except for ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. It avoids making any changes to the Windows system files, including .sys, .msi, .dll, .lnk, and .exe.
• Akira terminates the running Windows services using Windows Restart Manager API to avoid any interference in the encryption process.

The encryption phase

• During data encryption, Akira appends all the encrypted files with the extension .akira, and drops a ransom note akira_readme[.]txt, carrying details about the ransom and a link to the negotiation site, in each of the targeted folders.
• Each victim is provided with a unique key (password), to be entered to log into the attacker’s Tor website, which provides a chat box for further negotiations.

Post-encryption activities

• Once admin credentials for the Windows domain are obtained, the ransomware is deployed across the entire network. 
• Akira exfiltrates corporate data for further leverage, threatening to leak it publicly on the internet if the ransom demands, ranging between $200,000 to millions of dollars, are not met.

Ending notes