Akira Ransomware
The Computer Emergency response team of India issued an alert for the ransomware dubbed “Akira”.
The ransomware, found target both Windows and Linux Devices, steals and encrypts data, forcing victims to pay double Ransome for decryption and recovery.
Ransomware is a type of malicious software (malware) that encrypts the victim's files or locks them out of their own computer system, making the data inaccessible. The attackers then demand a ransom payment from the victim to provide the decryption key or unlock the system. Ransomware attacks can have severe consequences for individuals, businesses, and organizations, leading to data loss, financial losses, and operational disruptions.
There are two primary types of ransomware:
Encrypting Ransomware: This type of ransomware encrypts the victim's files using a strong encryption algorithm, making the data unreadable without the decryption key. The attackers demand payment in cryptocurrency to provide the key and unlock the files.
Locker Ransomware: Locker ransomware does not encrypt files but instead locks the victim out of their computer system, preventing them from accessing their files or using their device. The attackers typically display a ransom note on the locked screen, demanding payment to restore access.
The ransomware is meant to shut down Windows services or processes that would prevent it from encrypting files on the compromised system.
It leverages VPN services to deceive users into downloading malicious files, especially when two-factor authentication is not set.
Using the Windows Restart Manager API, the ransomware also kills running Windows services to stop anything from interfering with the encryption process.
Program Data, Recycle Bin, Boot, System Volume data, and other files important to system stability are not encrypted by design.
Additionally, it prevents changes to Windows system files ending in.syn,.msl, and.exe. which includes information about the attack and the link to Akira’s leak and negotiation site.
A different negotiation password is given to each victim, which must be input on the threat actor's Tor website.
The victim can only communicate with the ransomware gang using this negotiating site's chat interface, unlike previous ransomware operations.