TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Akira Ransomware Indicators | Huntress

2024-09-20 · Read original ↗

ATT&CK techniques detected

8 predictions
T1486Data Encrypted for Impact
99%
"customer infrastructure : c : \ programdata \ cloudflared. exe tunnel run - - token redacted when the file encryption malware is finally deployed, the command line appears as follows : c : \ programdata \ w. exe - p = < path > - n = 2 the exact path may vary depending upon the in…"
T1486Data Encrypted for Impact
74%
"akira ransomware indicators | huntress background huntress analysts " see " a variety of cyberattacks taking place, with visibility into the attack itself initially becoming available at different points in the attack chain. this is true for a number of different types of cyberat…"
T1080Taint Shared Content
68%
"akira ransomware indicators | huntress background huntress analysts " see " a variety of cyberattacks taking place, with visibility into the attack itself initially becoming available at different points in the attack chain. this is true for a number of different types of cyberat…"
T1078.003Local Accounts
52%
"installations. while huntress analysts have observed threat actors creating new user accounts as an initial step in an attack that has led to akira ransomware being deployed, these new user accounts have not always been used to access the targeted endpoint. many times, an already…"
T1078.001Default Accounts
52%
"t reg _ dword / v [ user ] / d 0 / f 1 this command prevents the designated user account from being displayed on the welcome screen, essentially hiding it from view. analysts have observed threat actor access via rdp originating from a workstation named win - jgrmf8l11ho. this wo…"
T1136Create Account
38%
"akira ransomware indicators | huntress background huntress analysts " see " a variety of cyberattacks taking place, with visibility into the attack itself initially becoming available at different points in the attack chain. this is true for a number of different types of cyberat…"
T1585Establish Accounts
33%
"akira ransomware indicators | huntress background huntress analysts " see " a variety of cyberattacks taking place, with visibility into the attack itself initially becoming available at different points in the attack chain. this is true for a number of different types of cyberat…"
T1136Create Account
33%
"installations. while huntress analysts have observed threat actors creating new user accounts as an initial step in an attack that has led to akira ransomware being deployed, these new user accounts have not always been used to access the targeted endpoint. many times, an already…"

Summary

Tracking various indicators associated with different attacks, Huntress analysts have been able to identify specific indicators (threat actor workstation names, passwords associated with new user account creation or current account modification, CloudFlare tunnel tokens) that are associated with Akira ransomware infections. By detecting these indicators much earlier in the attack chain, organizations can inhibit or even obviate file encryption malware deployment.