Akira

Akira gains entry through compromised VPN credentials obtained via spear-phishing campaigns and direct exploitation of Cisco ASA, FortiClient, and SonicWall vulnerabilities (T1190, T1133, T1566.001, T1078). Initial Access Brokers frequently provide entry points, with credentials purchased and exploited within days of availability.

Techniques target Cisco firewall implementations where firewall PINs lack MFA or rely on push MFA configurations. VPN remote access exploitation remains a primary vector when MFA is absent or misconfigured.

‍

Upon gaining access, ShareFinder.ps1 scripts automatically map network shares and enumerate valuable data repositories.

Extensive reconnaissance utilizes native Windows commands and PowerShell scripts to identify high-value targets and locate backup systems (T1057, T1087, T1083). Advanced IP Scanner, Masscan, ReconFTW, SharpHound, SoftPerfect NetScan, and Impacket tools enable comprehensive network mapping and domain structure enumeration.

AnyDesk serves as the primary tool for persistent remote access, with redundant connections established through compromised infrastructure. The arsenal includes ScreenConnect, TeamViewer variants, MobaXterm, Radmin, and RustDesk to maintain operational flexibility and evade detection (T1219).

Defense strategies systematically disable antivirus solutions and clear event logs while employing PowerShell obfuscation techniques. EDR bypass methods leverage unconventional approaches including webcam exploitation (T1562.001, T1070.001, T1140). VMware vCenter exploits and Cisco firewall vulnerabilities provide additional evasion capabilities.

The toolkit includes PowerTool, Zemana Anti-Rootkit driver, and KillAV for security bypass, while Ngrok and Ngroki.jio serve as proxy services to mask malicious traffic.

Mimikatz deployment enables systematic credential harvesting from LSASS process memory, supplemented by keylogging for real-time capture. The group targets stored credentials in browsers and password managers (T1003, T1555, T1056.001). DonPAPI and LaZagne automate credential extraction, while Impacket utilities specifically target cached domain credentials.

C2 infrastructure operates through TOR hidden services and compromised legitimate websites to avoid detection. Communication channels employ encrypted protocols and domain fronting techniques for resilient connectivity (T1071, T1090, T1573).

Network traversal leverages RDP, SMB, and PsExec with particular focus on domain controllers for privilege escalation. WMI and PowerShell remoting enable stealthy movement across systems (T1021, T1047, T1059.001). Impacket's psexec.py facilitates remote execution, while attackers specifically target network attached storage and ESXi environments through SSH. RDP to domain controllers provides rapid administrative access across the environment.

Data staging utilizes WinRAR for compression before transfer via FileZilla and RClone to attacker-controlled infrastructure. Extended exfiltration periods help avoid detection (T1048, T1041, T1567).

Mega cloud storage, Temp[.]sh, and WinSCP provide additional exfiltration channels. Scattered Spider affiliates specifically exploit Veeam infrastructure when available for rapid data theft.

The group creates domain accounts with elevated privileges and deploys scheduled tasks across critical infrastructure. Registry key modifications ensure automatic execution upon system restart (T1136.002, T1053, T1547.001).

Operations achieve comprehensive business disruption through encryption of critical systems and backup destruction. Recovery timelines typically extend weeks or months due to the thoroughness of the attack (T1486, T1490, T1485).

Ransomware deployment features multi-threaded encryption utilizing ChaCha20/ChaCha8 algorithms for maximum speed. Platform-specific variants target Windows, Linux, and ESXi systems (T1486). RMM tools facilitate widespread deployment, with specialized routines to encrypt both ESXi and Linux systems simultaneously.

The double extortion model combines data encryption with publication threats on dedicated leak sites. Ransom demands range from hundreds of thousands to several million dollars, with negotiations conducted exclusively through TOR-based portals.

Forensic artifacts are systematically removed while logs are cleared and volume shadow copies deleted to prevent recovery. Timestamp manipulation and tool removal eliminate evidence trails (T1070, T1490). ‍

Anti-forensic tooling ensures comprehensive cleanup, with shadow copy deletion preventing file restoration. Scattered Spider affiliates demonstrate particular destructiveness, ensuring complete backup deletion to maximize impact.