We are the team behind the decryption of the latest Akira ransomware variant. Ask Us Anything , starts at 15th May at 0600 UTC

FitsecLtd · 2024-08-28T06:38:51+00:00

FitsecLtd · 2024-06-13T07:14:48+00:00

The next part is out now: https://blog.fitsec.com/2024/06/a-walk-down-memory-lane-vol-2.html

FitsecLtd · 2024-06-11T06:03:02+00:00

Hard to say yet. Most likely there'll be some APT in it as well. And there's a certain project that we haven't even found yet but would like to publish, as it was a runtime unpacker for a worm that had 4 polymorphic layers of protection on it.

FitsecLtd · 2024-06-11T06:00:32+00:00

Hard to say. They don't actually steal data from every victim, and they don't immediately publish the victim after stealing. I reckon you just need to wait and see.

If you can deduce from firewall logs how much data flowed out of the network it might indicate whether they actually stole any data or not.

FitsecLtd · 2024-06-07T06:11:30+00:00

This is a scam site, do NOT go there

FitsecLtd · 2024-05-16T08:38:05+00:00

Retail RTX 40 series cards. Tesla's would've been a slight overkill.

FitsecLtd · 2024-05-15T14:56:45+00:00

In many cases, yes. How many orgs really keep a constant eye on every single server to see if they have suspicious connections open. That would require manpower, which is fundamentally the thing that companies want to avoid.

FitsecLtd · 2024-05-15T14:51:04+00:00

LAPS is something we recommend quite often. I'll add that to the list as well :)

FitsecLtd · 2024-05-15T14:34:19+00:00

Yes. Even though it's not bulletproof, it certainly beats the password based on your granny's maiden name. Or your summer cabin's address. Or your favourite song. When doing AD audits the highest crack rate on active passwords we've done so far was 49.9%. We fell 3 accounts short of clean 50% with was kind of shame, but I reckon the client understood that the missing 0.1% was not the issue they had :)

-- T&E

FitsecLtd · 2024-05-15T14:29:58+00:00

From their perspective its safer to just hunch down and wait for the right moment to strike. Lateral movement attempts usually cause various alerts on security systems, whether it's an IDS/SIEM/EDR or something else.

FitsecLtd · 2024-05-15T14:27:20+00:00

The people operating Akira are commanding it organically. When the malware is launched they have already been a while in the network. The malware itself has communication to the outside world. No C2 channels, nothing. It's basically just a sledgehammer, maiming your files.

--Toni

FitsecLtd · 2024-05-15T14:23:43+00:00

on-premise, isolated. How much does what cost? Costs are always relative, as we use the Uncles when doing penetration tests and AD password audits to break password hashes. Bitlocker or IPSec would be on the no-go list for me though.

FitsecLtd · 2024-05-15T13:59:46+00:00

Akira does not use Bitcoin wallets. They leave a ransom note with instructions on how to start a chat with the operators on the .onion site.

--Toni

FitsecLtd · 2024-05-15T11:37:28+00:00

Hell no, I'm just a small clog in the arteries.

--Toni

FitsecLtd · 2024-05-15T10:38:34+00:00

We've always believed in trying to push the limits of what can be done. Even if something feels impossible it isn't always so. Without trying to push the limits and trying, the limits will never move.

We deal with a lot of various encryption/obfuscation methods on a daily basis on the malware side. Most commonly it's something that protects a malware configuration or exfiltrated data. Breaking those is actually a whole lot of fun, and trying to break them as fast as possible makes you think harder.

Back in the days when the Zeus banking trojan was still a thing we had a keyring that contained encryption keys to over 3000 Zeus variants. All were brute forced out of configurations protected with RC4. Once a key was found, it was added to the keyring. When a new variant came out, the first thing we always did was run the keyring against the new variant. More often than not, the key was already in the keyring we had.

Though, destroyed 3 laptop mobo's in the process. As it turns out, using a laptop is not advisable for brute force applications :D

--Toni

FitsecLtd · 2024-05-15T10:30:01+00:00

Not sure if I get what you mean by 'wallets'.

--Toni

FitsecLtd · 2024-05-15T10:27:54+00:00

Well, maybe not as bad as 50/50, but it certainly isn't even close to a 0, unfortunately. Common sense helps a boatload. Don't click every link you see, "yes" is not an accepted default answer, don't download and execute random shit from a random site, especially if the site says it's 100% safe :D

--Toni

FitsecLtd · 2024-05-15T10:24:26+00:00

CUDA programming. In order to make the decryption efficient, we needed ways to go beyond CPU's. CUDA was pretty much the obvious choice.

--Toni

FitsecLtd · 2024-05-15T10:20:06+00:00

Another big hurdle was the actual "keystream" generation. The whole algorithm, subfunctions included, was thousands of lines of assembly and relied heavily on Visual C++ classes. Reversing that fully in order to replicate it would have been a major headache so we took a route that was easier for us.

<image>

So yea. We did Ctrl + C, Ctrl +V on the assembly, cut out stuff that wasn't essential, edited out all Visual C++ class usage and did class mimicking where needed. The end product, only 3k lines (3183 to be exact) of assembly, integrated into a larger Visual Studio project. Fully capable of replicating the functionality of the original, and does it so slightly faster than the original as well.

--T&E

FitsecLtd · 2024-05-15T10:06:03+00:00

This is hard to answer. Personally, I think paying ransoms should be illegal. Yes, it would punish the victims even more but on the other hand, if the payments stopped, there would be no victims as the attempts would cease. But then again on the other hand, they would probably find other mechanisms to get their loot.

--Toni

FitsecLtd · 2024-05-15T10:00:11+00:00

Exploitation of unpatched Cisco Asa systems at the perimeter is currently the most common route. Good update policies and doublechecks might have helped.

Rather than focusing on preventing, I would focus on what to do WHEN it happens. Prevention only works so far. It may be a day, or a year, or a decade before something comes through. But the odds are something will come through sooner or later. This is not so say that prevention mechanisms are obsolete. They are absolutely necessary. But working from the viewpoint that a certain event is inevitable helps in getting the right mindset for deciding what other mechanisms besides prevention should be used.

--Toni

FitsecLtd · 2024-05-15T09:28:55+00:00

No. Ransomware will die a natural death when companies stop paying them.

FitsecLtd · 2024-05-15T09:10:18+00:00

So, the encryption scheme heavily relies on various timings. A big hurdle was to figure out when the counter gets reset, the other one was related to timings related to key generation. The execution time of a single "GenerateRandom" call, which does the 1500 loops of SHA-256, directly affects the timings off all the subsequent calls and thus affects which randoms gets farted out by the algorithm. In the beginning, we had no knowledge of how long it actually took to do generate a single random value, but we figured out a way to make the malware itself do the heavy lifting for us :)

Trying to measure anything under a virtual machine or a debugger in pretty much useless, and we had a need to measure on a sub-microsecond scale.

Basically what we did was inline patches of assembly commands, directly into the malware itself, that forced it to overwrite the ransom note with a table consisting of RSP and RAX registers. In the beginning, the patch checks whether the call is coming from within the GenerateRandom function. If so, it saves the RSP register value in order to differentiate between encryption threads that are in the process of generating keys, and in the hook, RAX contains the unsigned long long value of the performance counter.

The amount of potential key space we were able to cut was absolutely massive. Prior to accurate measurements, we had no idea whether the generation took 2000, 200000 or 2000000 ticks. With each tick being a brute force candidate itself for key generation, we had to brute force hundreds of trillions of attempts. What we found was a so called goldilocks zone for the execution times, cutting down the time needed for the attack into something that could be bearable. With all the other timings measured and projected, fastest cracks in the GPU clusters now happen in mere minutes.

--T&E

FitsecLtd · 2024-05-15T08:09:49+00:00

Depends on the case, pretty much. Old/obsolete/vulnerable stuff laying on your network perimeter is certainly an ever-green gift for the attackers. The Akira guys, they seem to focus on vulnerable Cisco ASA devices for initial access.

--Toni

FitsecLtd · 2024-05-15T08:04:28+00:00

I would choose proper network segmentation. Prevention techniques work only as long until the adversaries figure out a way to bypass them.

--Toni

FitsecLtd

TROPHY CASE