AKIRA RANSOMWARE

AKIRA RANSOMWARE

WHY IN NEWS ?

• Recently, India’s national nodal agency for responding to computer security incidents Computer Emergency Response Team of India issued an alert for the ransomware dubbed “Akira.”

ABOUT AKIRA RANSOMWARE :

• The Akira ransomware is designed to encrypt data, create a ransomware note and delete Windows Shadow Volume copies on affected devices.
• The ransomware gets its name due to its ability to modify filenames of all encrypted files by appending them with the “.akira” extension.
• The ransomware is designed to close processes or shut down Windows services that may keep it from encrypting files on the affected system.
• It uses VPN services, especially when users have not enabled two ­factor authentication, to trick users into downloading malicious files.

MODUS OPERANDI OF RANSOMWARE :

• The ransomware terminates active Windows services using the Windows Restart Manager API, preventing any interference with the encryption process.
• It is designed to not encrypt Program Data, Recycle Bin, Boot, System Volume information, and other folders instrumental in system stability.
• It also avoids modifying Windows system files with extensions like .syn. .msl and .exe.
• Once sensitive data is stolen and encrypted, the ransomware leaves behind a note named akira_readme.txt.
• This note includes information about the attack and the link to Akira’s leak and negotiation site.
• Each victim is given a unique negotiation password to be entered into the threat actor’s Tor site.
• Unlike other ransomware operations, this negotiation site just includes a chat system that the victim can use to communicate with the ransomware gang.

IMPACT OF RANSOMWARE :

• The ransomware infects a device and steals/encrypts sensitive data.

• The group behind the attack extorts the victims into paying a ransom, threatening to release the data on their dark web blog if their demands are not met.
• The ransomware deletes the Windows Shadow Volume copies on the affected device.
• These files are instrumental in ensuring that organisations can back up data used in their applications for day­ to ­day functioning.
• The threat actors also steal sensitive corporate data for leverage in their extortion attempts.
• Once the ransomware deletes the VSS files it proceeds to encrypt files with the pre­defined the “.akira” extension.

HOW DOES IT INFECTS DEVICES ?

• Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files.
• Other methods used to infect devices include drive ­by­download, a cyber­attack that unintentionally downloads malicious code onto a device.
• It can also infect the devices through web links in emails, clicking on which downloads malicious code.
• The ransomware reportedly also spreads through insecure Remote Desktop connections.

WHAT NEEDS TO BE DONE ?

• VSS services facilitate communication between different components without the need to take them offline, thereby ensuring data is backed up while it is also available for other functions.
• Users are advised to ensure all operating systems and networks are updated regularly, with virtual patching for legacy systems and networks.
• CERT­-In has advised users to follow basic internet hygiene and protection protocols to ensure their security against ransomware.

• These include maintaining up to date offline backups of critical data, to prevent data loss in the event of an attack.
• The agency has also advised periodic security audits of critical networks/systems, especially database servers.

WAY FORWARD:

• There should also be a strict external device usage policy in place and data­-at­-rest and data-­in­-transit encryption along with blocking attachment file types like .exe, .pif, or .url to avoid downloading malicious code.
• Strong password policies and multi­factor authentication (MFA) must be enforced.

SYLLABUS : MAINS, GS-3, INTERNAL SECURITY

SOURCE : THE HINDU