New Delhi,UPDATED: Jul 24, 2023 16:11 IST
By Divyanshi Sharma: The government is warning netizens against a dangerous ransomware called Akira, which primarily targets systems running on Windows and Linux. The Indian Computer Emergency Response Team (CERT-In) recently issued an advisory reporting the emergence of the new internet ransomware virus.
As per the advisory, the ransomware group behind Akira is known for stealing vital personal information from victims and encrypting their data, leading to extortion of money. If the victim refuses to pay, the group threatens to release their data on the dark web.
Government warns against Akira ransomware
The CERT-In advisory warns that the ransomware group gains access to victim environments through VPN services, particularly where multifactor authentication has not been enabled. They also use tools such as AnyDesk, WinRAR, and PCHunter during the process, taking advantage of the fact that these tools are often found in the victim’s system without arousing suspicion.
“A recently emerged Ransomware operation dubbed Akira is reportedly active in cyberspace. This ransomware is targeting both Windows and Linux-based systems. This group first steals the information from the victims, then encrypt data on their systems and conducts double extortion to force the victim into paying the ransom. In case the victim does not pay, they release their victim’s data on their dark web blog. The group is known to access victim environments via VPN services, particularly where users have not enabled multi-factor authentication. The group has also utilised tools such as AnyDesk, WinRAR, and PCHunter during intrusions. These tools are often found in the victim’s environment, and their misuse typically goes unnoticed,” the advisory said.
How does Akira work?
The advisory then provides a technical description of how the virus operates. Akira first deletes Windows Shadow Volume Copies on the infected device. Then, it encrypts files with certain extensions and adds a ‘.akira’ extension to each encrypted file. To avoid interference, it shuts down active Windows services using the Windows Restart Manager API during the encryption process. It is to be noted that Akira avoids modifying Windows system files (the ones with extensions like .sys, .msi, dll .Ink, and exe) in order to remain stable.
“The attack process begins when a sample of the Akira ransomware is executed. Upon execution, Akira deletes the Windows ‘Shadow Volume Copies’ on the targeted device. The ransomware then encrypts files with a predefined set of extensions. A akira’ extension is appended to each encrypted file’s name during this encryption process.
“In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager APL. This step prevents any interference with the encryption process. It encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. To maintain system stability, it refrains from modifying Windows system files, which include files with extensions like .sys, .msi, dll .Ink, and exe,” the advisory states.
How to stay safe
The best way to stay safe from Akira is to practice basic online hygiene and protection protocols. Additionally, users can maintain offline backups of important data and keep them up-to-date to prevent loss incase the data gets infected.
Regular updates of operating systems and applications are also important, and virtual patching can be used to protect legacy systems and networks. Strong password policies, multi-factor authentication, and avoidance of unofficial channels for updates and patches are other measures that can be taken to stay safe against cyber and ransomware attacks.