UPDATES TO AKIRA RANSOMWARE CODEBASE

    Tuesday, September 17, 2024 In: Threat Research Print

    Date: 09/17/2024

    Severity: Critical

    Summary

    We’ve recently noted changes in the Akira ransomware codebase. The ransomware now uses open-source crypto libraries for key import and data encryption instead of an API. The addition of KCipher2 alongside ChaCha20 is unusual, and metadata is now fully encrypted with RSA rather than partially. An autosave feature creates temporary .arika files during runtime, which, despite being deleted, can help in identifying Akira ransomware.

    Indicators of Compromise (IOC) List

    Hash

    08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba

2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d

2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643

56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db

58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3

6270cef0c8cc45905556c40c9273391d71ef8d73c865d44d2254a8a4943ae5b4

77fe1619aa07d2ab169a2fa23feb22d7433bf07e856cda1402cf60205beddd7f

78642603005f826a3b47effb852da980a6483ffb9461e30842020848305c9353

7d5da695e6f9a421e3d3a94e384ce00e8ec58fac5b895b4cba5b66a6de7fafd5

99c1cd740fa749a163ce8cdf93722191c4ba5d97de81576623a8bbcb622473d6

b7bbfb66338a3413f981561115bd8ef8a4014479bcc320de563499cfc73a3de2

c9a1d8240147075cb7ffd8d568e6d3c517ac4cfdddccd5bb37857e7bde6d2eb7

ca651d0eb676923c3b29190f7941d8d2ac8f14e4ad6c26c466069bbc59df4d1d

d5558ec7979a96fe1ddcb1f33053a1ac3416a9b65d4f27b5cc9fd0a816296184

e5c8888f51369c2105d47a4998ad9b4053471bd98b4fd73a854207da09206ee2

ee0a27f3de6f21463f8125dbfc95268ff995ef8ea464660d67cf9f77e240e1ab

f1f82d3b62f92f4fe8af320afea6c346210bb51774bb1567149e308469d40c92

ffcddd8544bca0acde69f49abd1ea9dbee5f4eb73df51dd456b401c045a0b6af

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Hash

    sha256hash IN ("99c1cd740fa749a163ce8cdf93722191c4ba5d97de81576623a8bbcb622473d6","08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba","58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3","ca651d0eb676923c3b29190f7941d8d2ac8f14e4ad6c26c466069bbc59df4d1d","56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db","c9a1d8240147075cb7ffd8d568e6d3c517ac4cfdddccd5bb37857e7bde6d2eb7","78642603005f826a3b47effb852da980a6483ffb9461e30842020848305c9353","2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d","b7bbfb66338a3413f981561115bd8ef8a4014479bcc320de563499cfc73a3de2","77fe1619aa07d2ab169a2fa23feb22d7433bf07e856cda1402cf60205beddd7f","ee0a27f3de6f21463f8125dbfc95268ff995ef8ea464660d67cf9f77e240e1ab","f1f82d3b62f92f4fe8af320afea6c346210bb51774bb1567149e308469d40c92","ffcddd8544bca0acde69f49abd1ea9dbee5f4eb73df51dd456b401c045a0b6af","2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643","e5c8888f51369c2105d47a4998ad9b4053471bd98b4fd73a854207da09206ee2","6270cef0c8cc45905556c40c9273391d71ef8d73c865d44d2254a8a4943ae5b4","7d5da695e6f9a421e3d3a94e384ce00e8ec58fac5b895b4cba5b66a6de7fafd5","d5558ec7979a96fe1ddcb1f33053a1ac3416a9b65d4f27b5cc9fd0a816296184")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-02-27-IOCs-for-Akira-Ransomware.txt 


    Tags

    RansomwareMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.