Lab539 were provided with some insight into the negotiations which take place with the ransomware group Akira. We have documented them here should they provide value to other victims.

Background

Akira first appeared on our radar relatively recently, March 2023 and even more recently they evolved their operations with a Linux variant to complement their existing Windows variant. Akira operate a double extortion model, both encrypting and exfiltrating data from victim organizations. Those who choose not to pay the ransom have their data leaked on line. In a slightly different approach to most ransomware groups Akira share the leaked data via BitTorrent rather than as direct downloads (something which, very recently Cl0p have started to do so after their MOVEit campaign).

Researchers at Avast have developed a decryptor for the Akira ransomware and made it available for public download. If you are a victim of Akira ransomware, then this should absolutely be your starting point: https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/

If this does not work for you, or you wish to limit the exposure of your data rather than simply achieve decryption, the following should provide some insights which may be valuable or at the very least limit the unknown.

Ransom Note

The encryptor is compiled on a per victim basis, so no two victims will have the same hash for their encryptor. The ransom note is hardcoded into the executable and reads as follows:

Hi friends,

Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.

2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.

3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.

4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.

5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/.

2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.

3. Use this code - 1234-AB-CDEF-GHIJ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

In this ransom note we have highlighted 3 items:

1. https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion – the URL where Akira list and share the data on their victims

2. https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion – the URL where Akira victims can access their chat/negotiation with Akira

3. 1234-AB-CDEF-GHIJ – the victim ID that you use to access the negotiations (the one we share here is not a real ID, but follows the same format as the ID victims will receive)

The ransom notes that Lab539 have observed on victim networks appear in a file named akira_readme.txt. Encrypted files end up with the .akira extension.

Each victim that Lab539 have observed had a different RSA public key hardcoded into the encryption binary.

Accessing your victim page

On accessing the URL at which victims can chat/negotiate with Akira the following login screen is presented:

Entering the victim ID from the ransom note results in you joining a chat with Akira. The chat transcripts which were shared with Lab539 show somewhat different communications per victim, indicating that comms are with a human.

On first accessing the chat many will be presented with a message stating that they are preparing the files, this is a list of files which will later be shared with the victim to demonstrate what data Akira have stolen and encrypted:

Once this process is completed (it appears to be a relatively manual process), the victim is then provided with a directory listing of stolen/encrypted files (“the list”), which they can download and view. They can select 2-3 files from the list which they have downloaded and Akira will upload these to the chat unencrypted in order to prove that they have taken the files. The victim can also upload 2-3 files, which Akira will decrypt and share with them in order to demonstrate that the decryption keys they wish to sell you work:

The file download format for the file list varies, we’ve seen .txt, .zip, .rar and .7z extensions. In all cases there is a list of files taken from the system(s) ransomwared. The differences here suggest multiple different operators and also a manual, human-driven process.

In the instances shared with Lab539, where victims requested proof of possession this was provided by Akira. Equally, Akira did appear to successfully decrypt the encrypted files which victims uploaded. Whilst it would have been possible for Akira to simply share back the unencrypted copy which they had exfiltrated, rather than performing decryption, there is no evidence that this was occurring. In fact, in one exchange shared with us, it appeared that the victim had tested this by uploading something other than a file encrypted by Akira and was called out for it.

The ransom demands from Akira varied depending on the size of the victim organization, as they highlight in the chat below, Akira trawl company financial papers in order to come up with what they consider a “reasonable demand”:

From this point onwards the direction of the negotiations varied depending on the interaction between the Akira operators and the victim (or those operating on behalf of the victim). We’ve therefore listed a number of observations below in order to provide some insight.

Observations

• The ransoms that were shared with us varied between tens of thousands of dollars up to $2m.

• Payment was requested via Bitcoin. The Bitcoin wallet ID appeared to be unique per victim.

• Whilst there is some room for negotiation on the price (we’ve seen Akira reduce the price by up to 40% through negotiation, and have also seen Akira offer reductions for quick payments), there is very little consistency in this. Akira prefer to negotiate based upon “the services they provide” (listed in the screenshot above). They often speak of a “package deal” - the price they first offer is this package and includes all items listed - but you could take individual items if you wished but it would cost you proportionally more.

• Some victims have chosen to pay a lesser fee to ensure that their data is not leaked online but not to pay for decryption keys (perhaps because they have been able to use Avast’s decryptor, or they have sufficient backups). For this Akira provided evidence of data removal.

• Evidence of deletion of data typically cost in the region of 40% of the initial ransom demands.

• In all instances where we saw payments made Akira came good and honored the agreement.

• Victims who have been posted on Akira’s leak site have successfully been removed after the event, but only through making a payment of some sort.

• Engaging with Akira has proven to extend the window of time between the ransomware event occurring and the victims data being published. Failure to engage has resulted in data being leaked within 24 hours.

• In instances Akira have created new chat channels for victims, rather than the one corresponding to the ID set in their encryptor. We would recommend that this is the first thing any victim does if they choose to engage with Akira.

• Akira’s Linux encryptor runs on ESXi hosts, however, we did not observe any data exfiltrated from ESXi hosts, only from windows hosts (note: the sample set on Linux/ESXi encryption shared with us was, however, very limited).

• Akira clearly spend time targeting financial data in order to help them set ransom demands.

• The Akira leak site has two sections listing victims: “news” and “leaks”. News lists the names of victims and some information about them. The leaks section lists the same victim but also provides a download link for the torrent in which their data is held.

• Victims are listed in the “news” section prior to the “leaks” section. There are some victims who have appeared in the news but have never appeared in the leaks, the reason for this is unknown, it may simply be that Akira have not yet gotten around to leaking the data.

Summary

Hopefully this provides some useful information to victims or those whose job it is to respond to ransomware incidents involving Akira. The first port of call should absolutely be the decryptors which Avast have shared freely with the community (nice work, thanks!). If they do not cover what you need then we hope that some of the observations we have made are valuable. Obviously our thanks to the source (who wishes to remain anonymous) who has been able to provide the insight on which this article is written.

In summary, there is some room for negotiation. Akira clearly spend time assessing their victims and their ability to pay. They do appear to honor their word, we didn’t observe instances where they backtracked on a negotiation – although there were instances where things could have been clearer (but they did provide the clarity if requested).

If you have insights from experience with Akira, or other ransomware groups, that you would wish to share then feel free to drop us a message.