CERT-In issues advisory and warns against malware 'Akira'

CERT-In has issued a warning against a malware called 'Akira'. The ransomware is designed to steal data from users and encrypt it to conduct an extortion. In case a victim refuses to pay, their data is leaked on the dark web blog. CERT-In advised people to maintain offline backups, enforce strong password policies and to keep systems updated.

The computer malware, Akira is targeting Windows and Linux-based systems, Said CERT-In.

“A recently emerged ransomware operation dubbed Akira is reportedly active in cyberspace. This group first steals the information from victims, then encrypt data on their systems and conducts double extortion to force the victim into paying the ransom.”

"In case the victim does not pay, they release their victim's data on their dark web blog," the Indian Computer Emergency Response Team (CERT-In) said in a latest advisory to Internet users.

The ransomware group is "known to access victim environments via VPN [virtual private network] services, particularly where users have not enabled multi-factor authentication." Ransomware is a kind of malware that infects and prevents users from using their own data and system and they can get it back against a pay-off.

Tools like AnyDesk, WinRAR, and PCHunter have been utilized during intrusion, said CERT-In. It added that these tools are often found in the victim's environment, and their misuse typically goes unnoticed.

Describing the technical intrusion of the virus, the advisory said 'Akira' deletes the Windows Shadow Volume Copies on the targeted device. The ransomware subsequently encrypts files with a predefined set of extensions and a '.akira' extension is appended to each encrypted file's name during this encryption process, it said.

In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager API. This step prevents any interference with the encryption process, the advisory stated. The ransomware encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. The CERT-In also advised Internet users to use basic online hygiene and protection protocols to keep safe from such virus attacks in the online space.

The advisory suggested that the operating systems and applications must be updated regularly and that "virtual patching" can be considered for protecting legacy systems and networks. This measure will prevent cyber criminals from gaining easy access to any system through vulnerabilities in outdated applications and software, it said.

Users should also enforce strong password policies and multi-factor authentication (MFA) and void applying updates/patches available in any unofficial channel among other such measures to counter cyber and ransomware attacks, it said.