AKIRA RANSOMWARE

Akira ransomware employs various techniques to infiltrate and compromise devices:

• Infection Methods: The primary method of infection is through spear-phishing emails that contain malicious attachments in the form of archived content (zip/rar) files. Additionally, the ransomware may spread via drive-by downloads, which inadvertently download malicious code onto the victim's device, or through specially crafted web links in emails that lead to the download of malicious code. It has also been observed to exploit insecure Remote Desktop connections.
• Encryption and Deletion: Once the ransomware infects a device, it proceeds to encrypt the victim's data, appending the ".akira" extension to all encrypted files. The malware is also designed to delete Windows Shadow Volume copies, rendering recovery through traditional means nearly impossible.
• Service Termination: Akira ransomware terminates active Windows services using the Windows Restart Manager API to prevent interference with the encryption process.
• Targeted Encryption: To maintain system stability, the ransomware avoids encrypting certain critical folders like Program Data, Recycle Bin, Boot, System Volume Information, and key Windows system files with specific extensions (e.g., .syn, .msl, and .exe).
• Extortion and Communication: Once the data is encrypted, the ransomware leaves behind a note named "akira_readme.txt," containing information about the attack and a link to the Akira gang's negotiation site on the dark web. Victims are given unique negotiation passwords to communicate with the attackers via a chat system on the site.

To safeguard against Akira ransomware and other similar threats, users, and organizations can implement the following security measures:

• Maintain Offline Backups: Regularly back up critical data to offline storage to ensure data recovery in case of a ransomware attack.
• Keep Systems Updated: Ensure that operating systems and networks are regularly updated with the latest patches and security fixes. For legacy systems, consider using virtual patching.
• Implement Email Security: Enforce Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) to prevent email spoofing and spam.
• Use Strong Passwords and MFA: Enforce strong password policies and implement multi-factor authentication (MFA) to add an extra layer of security to user accounts.
• Restrict External Devices: Adopt a strict external device usage policy to prevent unauthorized access and potential malware introduction.
• Encrypt Data in Transit and at Rest: Implement data-at-rest and data-in-transit encryption to protect sensitive information from unauthorized access.
• Block Potentially Malicious Attachments: Configure email systems to block attachment file types that are commonly associated with malware (e.g., .exe, .pif, .url).
• Conduct Regular Security Audits: Perform periodic security audits of critical networks and systems, especially database servers, to identify vulnerabilities and weaknesses.

5. Computer Emergency Response Team (CERT)

• Computer Emergency Response Team (CERT) is a specialized group of experts responsible for providing rapid response and support during cyber security incidents.
• CERTs play a crucial role in detecting, analyzing, and mitigating cyber threats and vulnerabilities.
• These teams are often established within organizations, government agencies, or independent entities, and their primary objective is to enhance overall cybersecurity readiness and incident response capabilities.