Akira Ransomware: Unmasked and Unrelenting

Experts have identified two types of files associated with the core component of the Akira ransomware: a smaller file (573 KiB) and a larger one (1.005 KiB). Both files are compiled using MSVC and lack obfuscation techniques. Upon execution on a victim’s device, the ransomware encrypts valuable files, appending the extension .akira. In each folder where encryption occurs, an akira_readme.txt file is created, demanding a ransom. The text in this file remains consistent across all versions, except for a unique code required to enter a chat with the attackers.

The program employs a formidable 4,096-bit encryption key, represented in base64 format in the smaller files and as a binary fragment in the larger ones. Before encrypting files, Akira attempts to delete shadow copies on the device by executing a PowerShell process via WMI. The command for deleting shadow copies is static, making it easier to detect.

The ransomware also utilizes the Restart Manager API, enabling it to close files currently in use by other applications. This API allows the termination of processes that block access to files, facilitating the ransomware’s continued operation. Notably, Akira does not properly conclude API sessions, which preserves registry entries, providing valuable data for subsequent analysis.

An intriguing detail is the creation and deletion of temporary files with the .arika extension, likely a mistake made by the ransomware’s developers. These files may represent intermediate data related to the encryption process, although their exact purpose warrants further investigation.

Security software should have little difficulty detecting Akira, as the ransomware leaves ample traces within the system, including static strings and the use of well-known APIs like Restart Manager.