StopRansomware: Akira Ransomware

    Monday, December 1, 2025 In: Threat Research Print

    Date: 12/01/2025

    Severity: High

    Summary

    The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms. Akira actors gain access by exploiting vulnerabilities in VPNs, backup servers, and edge devices—including CVE-2024-40766—along with credential theft and lateral movement before encrypting and exfiltrating data for double extortion. The group has impacted multiple critical sectors and caused significant financial losses. 

    Indicators of Compromise (IOC) List

    Hash

    57D1AEB41D9CFEA4D6899724BC4B09A5

    17c624693f5dd575485ec4286b0ba786

    C56B31C9080B993D57C100B91D096C33

    2FED7579556F01161BB1FDFD1C3E9E6C

    24e19d29a47b6b5e1a39bf5e4c313194

    814310fb7a59f23e3e137ee6fee04fa1

    5961a99181df157b81d35a50eeb27f96577a2fa2

    d5efaa22a74aab87d17f8666686b554e41fb389a

    08CF869A19C76CA718BA80EF73636E7BC38218B8

    ef328f68c6d865ba4ef4223b5d8ee9efb5667420

    d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca

    dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e

    3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75

    0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c

    ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc

    dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198

    131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07

    9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c

    9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065

    2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83

    7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be

    95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a

    0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

    C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0

    aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d

    18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88

    5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32

    58359209e215a9fc0dafd14039121398559790dba9aa2398c457348ee1cb8a4d

    cf3465d7e49b609defa1e2b6cfcc86ffa30c72246cb2744dbf50736c5f3d74d5

    58afef43cec0ee7a2fbfd9cdd5b71f55f971672d5e523a400b82b98c752ca5b7

    bfd5fc6cd3dea74738ac7025fa14ea844f400708df2293572796568f65bd6b61

    8e12c8eb39cec9a414b56a36acbcc1a5b31dc96a38bc668138a00f94f7c26ea5

    4DC9F9684F715F50946E85557B82AF80FCB45576EFAD47EEE1BF054C15E570F0

    7266e2afb5c70788c018d684698b0940eded4cb863f2b33f4edd31b59d1eab1d

    c0f706ff43936c1bb19db4f39b11129c3fc8ddafbd159852475ef99a246b2f79

    3a25d3f82651567e5760e48ad06c9f6caab4f9fdc071e98919163b3a71e67168

    CFA209D56E296C40B32815270060E539963D68CDA3285C5F393C97EB3C960D37

    77d48e8c13ce066b197905cc8fc69969af69b74d25f5e95dcd1302ada2e7ccec

    0b5b31af5956158bfbd14f6cbf4f1bca23c5d16a40dbf3758f3289146c565f43

    0d700ca5f6cc093de4abba9410480ee7a8870d5e8fe86c9ce103eec3872f225f

    a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc

    03aa12ac2884251aa24bf0ccd854047de403591a8537e6aba19e822807e06a45

    2e88e55cc8ee364bf90e7a51671366efb3dac3e9468005b044164ba0f1624422

    40221e1c2e0c09bc6104548ee847b6ec790413d6ece06ad675fff87e5b8dc1d5

    5ea65e2bb9d245913ad69ce90e3bd9647eb16d992301145372565486c77568a2

    643061ac0b51f8c77f2ed202dc91afb9879f796ddd974489209d45f84f644562

    6f9d50bab16b2532f4683eeb76bd25449d83bdd6c85bf0b05f716a4b49584f84

    fef09b0aa37cbdb6a8f60a6bd8b473a7e5bffdc7fd2e952444f781574abccf64

    e1321a4b2b104f31aceaf4b19c5559e40ba35b73a754d3ae13d8e90c53146c0f

    74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1

    3d2b58ef6df743ce58669d7387ff94740ceb0122c4fc1c4ffd81af00e72e60a4

    Filenames

    Edge_server.exe

    lck.exe Akira

    1.bat

    1.exe

    locker.exe

    Win_locker_0234-BMMNBW-MONC.exe

    level.exe Trojanized

    level-windows-amd64.exe

    Commandline

    nltest /dclist

    nltest /DOMAIN_TRUSTS

    net group “Domain admins” /dom

    net localgroup “Administrators” /dom

    tasklist

    cmd.exe /Q /c esentutl.exe /y

    "C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db" /d

    "C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db.tmp”

    cmd.exe /Q /c esentutl.exe /y

    "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d

    "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”

    powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

    rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id)

    C:\windows\temp\lsass.dmp full

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("57D1AEB41D9CFEA4D6899724BC4B09A5","17c624693f5dd575485ec4286b0ba786","C56B31C9080B993D57C100B91D096C33","2FED7579556F01161BB1FDFD1C3E9E6C","24e19d29a47b6b5e1a39bf5e4c313194","814310fb7a59f23e3e137ee6fee04fa1")

    Detection Query 2 :

    sha1hash IN ("5961a99181df157b81d35a50eeb27f96577a2fa2","d5efaa22a74aab87d17f8666686b554e41fb389a","08CF869A19C76CA718BA80EF73636E7BC38218B8","ef328f68c6d865ba4ef4223b5d8ee9efb5667420")

    Detection Query 3 :

    sha256hash IN ("03aa12ac2884251aa24bf0ccd854047de403591a8537e6aba19e822807e06a45","a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc","fef09b0aa37cbdb6a8f60a6bd8b473a7e5bffdc7fd2e952444f781574abccf64","2e88e55cc8ee364bf90e7a51671366efb3dac3e9468005b044164ba0f1624422","e1321a4b2b104f31aceaf4b19c5559e40ba35b73a754d3ae13d8e90c53146c0f","7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be","643061ac0b51f8c77f2ed202dc91afb9879f796ddd974489209d45f84f644562","3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75","58afef43cec0ee7a2fbfd9cdd5b71f55f971672d5e523a400b82b98c752ca5b7","2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83","0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c","9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065","aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d","0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d","3d2b58ef6df743ce58669d7387ff94740ceb0122c4fc1c4ffd81af00e72e60a4","9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c","C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0","0d700ca5f6cc093de4abba9410480ee7a8870d5e8fe86c9ce103eec3872f225f","18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88","6f9d50bab16b2532f4683eeb76bd25449d83bdd6c85bf0b05f716a4b49584f84","d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca","dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e","ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc","dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198","131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07","95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a","5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32","58359209e215a9fc0dafd14039121398559790dba9aa2398c457348ee1cb8a4d","cf3465d7e49b609defa1e2b6cfcc86ffa30c72246cb2744dbf50736c5f3d74d5","bfd5fc6cd3dea74738ac7025fa14ea844f400708df2293572796568f65bd6b61","8e12c8eb39cec9a414b56a36acbcc1a5b31dc96a38bc668138a00f94f7c26ea5","4DC9F9684F715F50946E85557B82AF80FCB45576EFAD47EEE1BF054C15E570F0","7266e2afb5c70788c018d684698b0940eded4cb863f2b33f4edd31b59d1eab1d","c0f706ff43936c1bb19db4f39b11129c3fc8ddafbd159852475ef99a246b2f79","3a25d3f82651567e5760e48ad06c9f6caab4f9fdc071e98919163b3a71e67168","CFA209D56E296C40B32815270060E539963D68CDA3285C5F393C97EB3C960D37","77d48e8c13ce066b197905cc8fc69969af69b74d25f5e95dcd1302ada2e7ccec","0b5b31af5956158bfbd14f6cbf4f1bca23c5d16a40dbf3758f3289146c565f43","40221e1c2e0c09bc6104548ee847b6ec790413d6ece06ad675fff87e5b8dc1d5","5ea65e2bb9d245913ad69ce90e3bd9647eb16d992301145372565486c77568a2","74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1")

    Detection Query 4 :

    (resourcename = "Windows Security" AND eventtype = "4663") AND filename IN ("Edge_server.exe","lck.exe Akira","1.bat","1.exe","locker.exe","Win_locker_0234-BMMNBW-MONC.exe","level.exe Trojanized","level-windows-amd64.exe")

    Detection Query 5 :

    technologygroup = "EDR" AND filename IN ("Edge_server.exe","lck.exe Akira","1.bat","1.exe","locker.exe","Win_locker_0234-BMMNBW-MONC.exe","level.exe Trojanized","level-windows-amd64.exe")

    Detection Query 6 :

    (resourcename = "Windows Security" AND eventtype = "4688") AND commandline IN ("nltest /dclist","nltest /DOMAIN_TRUSTS","net group \“Domain admins” /dom","net localgroup \“Administrators” /dom","tasklist","cmd.exe /Q /c esentutl.exe /y","\"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db" /d","\"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db.tmp”","cmd.exe /Q /c esentutl.exe /y","\"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d","\"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”","powershell.exe -Command \"Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"","rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id)

    C:\windows\temp\lsass.dmp full")

    Detection Query 7 :

    technologygroup = "EDR" AND commandline IN ("nltest /dclist","nltest /DOMAIN_TRUSTS","net group \“Domain admins” /dom","net localgroup \“Administrators” /dom","tasklist","cmd.exe /Q /c esentutl.exe /y","\"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db" /d","\"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.d

    efaultrelease\key4.db.tmp”","cmd.exe /Q /c esentutl.exe /y","\"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d","\"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”","powershell.exe -Command \"Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"","rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id)

    C:\windows\temp\lsass.dmp full")

    Reference: 

    https://www.ic3.gov/CSA/2025/251113.pdf


    Tags

    MalwareAkiraRansomwareVulnerabilityCVE - 2024CredentialTheftExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.