The country’s federal cyber security agency said the ransomware first encrypts the data and then forces the victim to pay a ransom. “If the victim doesn’t pay, they release their victim’s data on their dark web blog,” the advisory said.
The Technology Branch also advised that users should follow a strong password policy. Here’s what the advisory said:
A recently unearthed ransomware operation named Akira is reportedly active in cyberspace. This ransomware is targeting both Windows and Linux-based systems. This group first steals information from victims, then encrypts the data on their systems and performs double extortion to force the victim to pay a ransom. If the victim doesn’t pay, they release their victim’s data on their dark web blog. The group is known to access victim environments through VPN services, particularly where users have not enabled multi-factor authentication. The group has also used tools such as AnyDesk, WinRAR and PCHunter during infiltration. These tools are often found in the victim’s environment, and their misuse usually goes unnoticed.
how akira targets victims
According to CERT-In, Akira first deletes Windows shadow volume copies on the infected device and encrypts the files by adding ‘.akira’ extension. It also shuts down active Windows services using the Windows Restart Manager (APL) during the encryption process.
The advisory added, “This step prevents any interference with the encryption process. It encrypts files found in various hard drive folders, except the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. To maintain system stability, it prevents Windows from modifying system files, including files with extensions such as .sys, .msi, .dll, .Ink, and .exe.”
how to protect
It is advised that users should update the operating system and apps on a regular basis. Users are also advised to use strong passwords, multi-factor authentication and avoid clicking malicious links on the Internet.