Akira ransomware: why has the government issued a warning against it?
Exam Relevance: GS Paper – 3 Cyber Security
- Challenges to Internal Security Through Communication Networks
- Cyber Warfare
Context:
The Computer Emergency Response Team of India issued an alert for the ransomware dubbed “Akira.” The ransomware, found to target both Windows and Linux devices, steals and encrypts data, forcing victims to pay double ransom for decryption and recovery.
Akira ransomware-
- The Akira ransomware is designed to encrypt data, create a ransomware note and delete Windows Shadow Volume copies on affected devices.
- The ransomware gets its name due to its ability to modify filenames of all encrypted files by appending them with the “.akira” extension.
- The ransomware is designed to close processes or shut down Windows services that may keep it from encrypting files on the affected system.
- It uses VPN services, especially when users have not enabled two-factor authentication, to trick users into downloading malicious files.
- Windows Shadow Volume files are instrumental in ensuring that organizations can back up data used in their applications for day-to-day functioning.
- VSS services facilitate communication between different components without the need to take them offline, thereby ensuring data is backed up while it is also available for other functions.
- Once the ransomware deletes the VSS files it proceeds to encrypt files with the pre-defined the “.akira” extension.
What Is Malware?
Malware is a term used for a collection of viruses that cyber criminals going by hackers may release or use to gain entry into your computer to pose a risk of deletion of sensitive information or data.
The purpose of creating malware for a hacker is to demand ransom or any undue financial gain from the person or entity suffering from a malware attack. There are various types of malware that hackers use to gain unauthorized entry into your system.
Types of Malware-
There are different types of malware designed to harm your device, such as the follows:
- Virus: It is a replicating malware that is attached to a file. If you run that file, the virus will spread completely, infecting your computer and damaging your files. It usually needs a trigger to be activated.
- Worms: A worm can spread independently without requiring any human intervention. Once a worm is installed, it multiplies itself and consumes a large part of your computer memory, reducing the performance level of your device.
- Trojan: It serves as a “malware installer” that installs various kinds of malware in the system without the user’s knowledge, allowing a hacker to pre-plan and conduct various cybercrimes.
- Spyware: it acts as a surveillance tool to monitor a user’s activities on the internet. The evolution of malware has made it possible for hackers to check your emails and listen to your phone calls through spyware.
- Adware: It can redirect you to different websites that are completely unsafe, eventually slowing the functioning of your device. Malicious software can insert into your device through harmful ads, severely harming your device, so stay safe from such malware.
- Ransomware: It is a type of software that encrypts sensitive information so that the user cannot access it. Hacker sends an unverified link to the user. As soon as the user clicks on the link, the hacker starts encrypting information that he might find valuable, which a mathematical key can only unlock. The hacker demands a ransom or financial aid, and as soon as he receives the amount, he unlocks the restricted data.
The working-
- The ransomware also terminates active Windows services using the Windows Restart Manager API, preventing any interference with the encryption process.
- It is designed to not encrypt Program Data, Recycle Bin, Boot, System Volume information, and other folders instrumental in system stability.
- It also avoids modifying Windows system files with extensions like .syn. .msl and .exe.
- Once sensitive data is stolen and encrypted, the ransomware leaves behind a note named akira_readme.txt which includes information about the attack and the link to Akira’s leak and negotiation site.
- Each victim is given a unique negotiation password to be entered into the threat actor’s Tor site.
- Unlike other ransomware operations, this negotiation site just includes a chat system that the victim can use to communicate with the ransomware gang, a report from The Bleeping Computer shares.
The process of infecting devices:
- Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files.
- Other methods used to infect devices include drive-by-download, a cyber-attack that unintentionally downloads malicious code onto a device, and specially crafted web links in emails, clicking on which downloads malicious code.
- The ransomware reportedly also spreads through insecure Remote Desktop connections.
- Once it breaches a corporate network, the ransomware spreads laterally to other devices after gaining Windows domain admin credentials.
- The threat actors also steal sensitive corporate data for leverage in their extortion attempts.
Protecting against the ransomware:
- CERT-In has advised users to follow basic internet hygiene and protection protocols to ensure their security against ransomware.
- These include maintaining up to date offline backups of critical data, to prevent data loss in the event of an attack.
- Additionally, users are advised to ensure all operating systems and networks are updated regularly, with virtual patching for legacy systems and networks.
- Companies must also establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation, which prevents spam by detecting email spoofing.
- Strong password policies and multi-factor authentication (MFA) must be enforced.
- The agency has also advised periodic security audits of critical networks/systems, especially database servers.
Conclusion:
Continuous efforts are needed to Secure (National Cyberspace), Strengthen (Structures, People, Processes, and Capabilities), and Synergise (Resources including Cooperation and Collaboration) in the field of cyberspace in India.
Source:https://www.thehindu.com/sci-tech/technology/what-is-the-akira-ransomware/article67134462.ece.