Government warns internet users of ‘AKIRA’ ransomware; hackers using AnyDesk, WinRAR, PCHunter

The Indian Computer Emergency Response Team (CERT-In) has issued a warning about a new internet ransomware virus called 'Akira,' which is causing significant concern. This malicious software is designed to target both Windows and Linux-based systems.

According to a PTI report. the attackers behind Akira first steal vital personal information from their victims and then proceed to encrypt the data on their systems. To coerce the victims into paying the ransom, they engage in double extortion tactics.

According to CERT-In's latest advisory, if the victim refuses to pay the ransom, the attackers will publish the stolen data on their dark web blog. The agency emphasizes that Akira's operators are known to exploit VPN services, particularly when users have not enabled multi-factor authentication. In their intrusions, the ransomware group has been found to use tools like AnyDesk, WinRAR, and PCHunter, often going unnoticed by victims.

Akira Ransomware

The technical details of the virus reveal that 'Akira' erases Windows Shadow Volume Copies on the targeted device before encrypting files. During this encryption process, each encrypted file's name is appended with a '.akira' extension. Additionally, the ransomware terminates active Windows services using the Windows Restart Manager API to prevent interference with the encryption process. Files in various hard drive folders, except ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders, are encrypted.

Amit Jaju, Senior Managing Director, Ankura Consulting Group (India) sheds light on it, “Rising Threat of Ransomware, the Akira ransomware attack is a stark reminder of the escalating threat landscape in cybersecurity. It's not just about data theft anymore; ransomware attacks like these are a form of digital hostage-taking, where critical data is held for ransom, disrupting businesses and even governments." 

Jaju also explains the strategy used by the hackers here by saying, "The Double Extortion tactic applies here. Akira uses a double extortion tactic, which is becoming increasingly common among cybercriminals. Not only is the data encrypted, making it inaccessible to the victims, but it's also threatened to be released publicly on the dark web if the ransom isn't paid. This can lead to further damage, including reputational harm and potential regulatory penalties for data breaches.”

What you can do

CERT-In advises internet users to follow basic online hygiene and protection protocols to safeguard themselves from such attacks. Maintaining offline backups of critical data is highly recommended to avoid data loss in case of infection. Regularly updating operating systems and applications is also crucial, and virtual patching can be employed to protect legacy systems and networks from cybercriminals exploiting vulnerabilities in outdated software.

Strong Passwords and MFA

Furthermore, the advisory emphasized on the importance of strong password policies and multi-factor authentication (MFA) to enhance security. Users should avoid applying updates or patches from unofficial channels and take other necessary measures to counter cyber and ransomware attacks. Being proactive in adopting these practices can help individuals and organizations stay resilient against the Akira ransomware threat.