With access to the VMware vCenter server, Akira used stolen administrator credentials to create a new virtual machine on the ESXi hypervisor. This tactic provided a stealthy environment where they could launch additional attacks while evading detection by conventional security tools.

The attackers then targeted the Active Directory database by shutting down the domain controller's VM, copying the VMDK files to another VM, and extracting the NTDS.dit and SYSTEM hive files. The SYSTEM hive file provided the decryption key for the password hashes stored in NTDS.dit which Akira used to crack passwords or employ pass-the-hash techniques, rapidly escalating privileges to a domain administrator account.

The forensic investigation conducted by researchers revealed that Akira's attack chain was meticulously planned and executed. Within six hours, the attackers had moved laterally across the network compromising additional systems. They deployed the ransomware by exploiting a legitimate backup client process, beremote.exe, to deliver the ransomware binary to servers.

This method effectively bypassed security defenses because the backup client was a trusted process within the system’s environment. Unlike typical ransomware attacks that aim to destroy backups, Akira leveraged remote backups to ensure the deployment of their ransomware, highlighting a strategic shift in attack methodologies.

The Akira ransomware group's techniques are similar to those used by advanced persistent threat groups like the China-backed UTA0178, employing advanced methods to bypass security measures, escalate privileges, and move laterally within a network. Their ability to exploit unpatched vulnerabilities and weaknesses in multi-factor authentication emphasizes the need for organizations to adopt stringent cybersecurity measures.

To defend against such sophisticated attacks, organizations must implement robust patch management systems, enforce multi-factor authentication, and conduct regular security assessments. These measures are crucial to preventing attackers from gaining a foothold and rapidly spreading through the network.

Impact

• Privilege Escalation
• Code Execution
• Financial Loss
• Sensitive Data Theft

Remediation

• Employ intrusion detection and prevention systems.
• Educate users about phishing and social engineering risks.
• Consider network segmentation and least privilege access controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
• Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.