SYMBOLCOMMON_NAMEaka. SYNONYMS
win.akira (Back to overview)

Akira

aka: REDBIKE
VTCollection    

There is no description at this point.

References
2025-05-05Security ChuSecurity Chu
Negotiations with the Akira ransomware group: an ill-advised approach
Akira Akira
2025-04-24MandiantMandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC
2025-01-08ThreatMonAlp Cihangir Aslan, Aziz Kaplan, Ozan Ünal, ThreatMon, ThreatMon Malware Research Team
Akira Ransomware Group & Malware Analysis Report
Akira
2024-10-24Arctic WolfAkshay Suthar, Stefan Hostetler, Steven Campbell
Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN
Akira Akira
2024-09-11loginsoftT B L N Shashank Mannar
Akira Ransomware: The Evolution of a Major Threat
Akira Akira
2024-06-19Joshua Penny, vc0RExor
Akira: The old-new style crime
Akira
2024-05-14S-RMCallum Wilson, Ineta Simkunaite
Breaking new ground? Uncovering Akira's privilege escalation techniques
Akira
2024-01-04Arctic WolfStefan Hostetler, Steven Campbell
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Akira Royal Ransom
2023-12-20Sophos X-OpsMark Loman, Matt Wixey
CryptoGuard: An asymmetric approach to the ransomware battle
Akira LockBit Storm-1567
2023-12-13Kaspersky LabsGReAT
FakeSG campaign, Akira ransomware and AMOS macOS stealer
AMOS Akira Storm-1567
2023-11-29TrellixAlexandre Mundo, Max Kersten
Akira Ransomware
Akira Akira Storm-1567
2023-11-29TrellixAlexandre Mundo, Max Kersten
Akira Ransomware
Akira
2023-11-28IntrinsecCERT Intrinsec, Intrinsec
Aki-RATs – Command and Control Party
Akira
2023-10-11MicrosoftAmir Kutcher, Charles-Edouard Bettan, Edan Zwick, Noam Hadash, Yair Tsarfaty
Automatic disruption of human-operated attacks through containment of compromised user accounts
Akira Akira
2023-09-15CyberCXPhill Moore, Suyash Tripathi, Yogesh Khatri, Zach Stanford
Weaponising VMs to bypass EDR – Akira ransomware
Akira
2023-09-14SekoiaLivia Tibirna
Sekoia.io mid-2023 Ransomware Threat Landscape
8Base Akira Cactus Storm-1567
2023-08-23StairwellSilas Cutler
Akira: Pulling on the chains of ransomware
Akira
2023-07-27Bankinfo SecurityMathew J. Schwartz
Are Akira Ransomware's Crypto-Locking Malware Days Numbered?
Akira Ryuk
2023-07-26Arctic WolfAkshay Suthar, Connor Belfiore, Steven Campbell
Conti and Akira: Chained Together
Akira Conti
2023-06-29Avast DecodedThreat Research Team
Decrypted: Akira Ransomware
Akira
2023-05-09SophosPaul Jaramillo
Akira Ransomware is “bringin’ 1988 back”
Akira
2023-04-28Twitter (@MalGamy12)Gameel Ali
Tweet explaning similarity between Conti and Akira code
Akira
Yara Rules
[TLP:WHITE] win_akira_auto (20241030 | Detects win.akira.)
rule win_akira_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.akira."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 488d8a58000000 e9???????? 4889542410 55 4883ec40 488bea }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488d8a58000000       | dec                 eax
            //   e9????????           |                     
            //   4889542410           | lea                 ecx, [ebp + 0x6d5]
            //   55                   | dec                 eax
            //   4883ec40             | mov                 edx, eax
            //   488bea               | mov                 byte ptr [ebp + 0x6dd], 0x79

        $sequence_1 = { c1fa06 8bc2 c1e81f 03d0 6bc27f 2bc8 42888c05cb020000 }
            // n = 7, score = 200
            //   c1fa06               | dec                 edx
            //   8bc2                 | movsx               eax, byte ptr [ecx + ebx + 0x6b190]
            //   c1e81f               | mov                 eax, dword ptr [ebx + 0xc]
            //   03d0                 | cmp                 dword ptr [edi + 0xc], eax
            //   6bc27f               | jne                 0x20e
            //   2bc8                 | mov                 al, 1
            //   42888c05cb020000     | dec                 eax

        $sequence_2 = { 488d4b28 e8???????? 66837b0a00 7413 bab0000000 488bcb e8???????? }
            // n = 7, score = 200
            //   488d4b28             | dec                 eax
            //   e8????????           |                     
            //   66837b0a00           | lea                 eax, [ecx + 1]
            //   7413                 | dec                 eax
            //   bab0000000           | mov                 dword ptr [ebp - 0x11], eax
            //   488bcb               | dec                 eax
            //   e8????????           |                     

        $sequence_3 = { f30f7f442430 33d2 488d4c2430 e8???????? 498b4f18 48394d28 0f854f010000 }
            // n = 7, score = 200
            //   f30f7f442430         | lea                 eax, [ebx + 1]
            //   33d2                 | dec                 eax
            //   488d4c2430           | cmp                 ebx, -1
            //   e8????????           |                     
            //   498b4f18             | dec                 eax
            //   48394d28             | cmove               eax, ebx
            //   0f854f010000         | dec                 eax

        $sequence_4 = { e8???????? 48895f08 ba18000000 488bcf e8???????? 488d4dd8 ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48895f08             | mov                 byte ptr [ebp + 0x24b], 0x74
            //   ba18000000           | mov                 byte ptr [ebp + 0x24c], 0x6e
            //   488bcf               | mov                 byte ptr [ebp + 0x24d], 0x32
            //   e8????????           |                     
            //   488d4dd8             | mov                 byte ptr [ebp + 0x24e], 0x6e
            //   ff15????????         |                     

        $sequence_5 = { ff5020 88442430 0f57c0 0f11459f 48c745af01000000 41bf0f000000 4c897db7 }
            // n = 7, score = 200
            //   ff5020               | dec                 eax
            //   88442430             | mov                 eax, ebx
            //   0f57c0               | dec                 eax
            //   0f11459f             | add                 esp, 0x50
            //   48c745af01000000     | pop                 ebx
            //   41bf0f000000         | ret                 
            //   4c897db7             | dec                 eax

        $sequence_6 = { 4584ed 7444 498d5eff 488b75df 483bde 7425 e8???????? }
            // n = 7, score = 200
            //   4584ed               | dec                 ecx
            //   7444                 | mov                 dword ptr [ecx + 8], edx
            //   498d5eff             | inc                 ecx
            //   488b75df             | mov                 dword ptr [ecx + 0x24], eax
            //   483bde               | movzx               ecx, byte ptr [edx]
            //   7425                 | and                 ecx, 0xf
            //   e8????????           |                     

        $sequence_7 = { 66660f1f840000000000 49ffc0 6642833c4000 75f5 488d9539030000 488d8de0150000 e8???????? }
            // n = 7, score = 200
            //   66660f1f840000000000     | jne    0xc35
            //   49ffc0               | dec                 eax
            //   6642833c4000         | lea                 edx, [esp + 0x21]
            //   75f5                 | dec                 eax
            //   488d9539030000       | lea                 ecx, [ebp + 0x30]
            //   488d8de0150000       | dec                 esp
            //   e8????????           |                     

        $sequence_8 = { 41884640 41c6464101 498b0c24 48894c2430 4885c9 7445 488b5770 }
            // n = 7, score = 200
            //   41884640             | inc                 ecx
            //   41c6464101           | mov                 byte ptr [esi], 0x2d
            //   498b0c24             | dec                 ebp
            //   48894c2430           | lea                 edi, [esi + 1]
            //   4885c9               | dec                 eax
            //   7445                 | mov                 ecx, dword ptr [edi]
            //   488b5770             | dec                 eax

        $sequence_9 = { 7508 c60330 48ffcb ebdf fec1 880b 483bde }
            // n = 7, score = 200
            //   7508                 | dec                 eax
            //   c60330               | lea                 ecx, [0x8bcb9]
            //   48ffcb               | dec                 eax
            //   ebdf                 | mov                 eax, dword ptr [0x58]
            //   fec1                 | mov                 edx, 4
            //   880b                 | dec                 eax
            //   483bde               | mov                 ecx, dword ptr [eax]

    condition:
        7 of them and filesize < 1286144
}
Download all Yara Rules