Live Latest activity →

Akira - How to Detect

Last updated: 2026-04-21

Akira Ransomware Detection Guide

Behavioral Indicators

Akira ransomware exhibits several distinct behavioral patterns during execution. Monitor process creation chains for suspicious sequences starting with common initial access vectors like phishing document macros or exploited services. The malware typically spawns from a parent process like cmd.exe or powershell.exe and creates child processes for discovery and encryption tasks.

Key behavioral indicators include:

  • Use of vssadmin.exe delete shadows /all /quiet to delete Volume Shadow Copies before encryption
  • Execution of bcdedit.exe /set {default} recoveryenabled no and bcdedit /set {default} bootstatuspolicy ignoreallfailures to disable recovery options
  • Multiple net.exe commands enumerating network shares and domain controllers (net view, net group "domain admins" /domain)
  • Process hollowing or injection into legitimate system processes like svchost.exe or explorer.exe
  • Use of Windows Management Instrumentation (WMI) for lateral movement: wmic.exe /node:"[target]" process call create "cmd.exe /c [malicious command]"
  • Credential dumping via lsass.exe memory access or security registry hive extraction
  • API calls to CryptEncrypt, CryptGenKey, and other cryptographic functions from unexpected processes
  • Modification of boot configuration through direct registry manipulation or bcdedit commands

Look for processes accessing an unusual number of files in quick succession with read/write patterns, particularly across network shares. Akira typically avoids encrypting system-critical files to maintain system stability while maximizing impact.

Network Indicators

Akira ransomware communicates with command-and-control (C2) infrastructure using several protocols and patterns:

C2 Communication:

  • HTTPS connections to newly-registered domains with SSL certificates valid for short periods (30-90 days)
  • Use of common cloud storage and file-sharing services as dead-drop resolvers
  • DNS queries for domains with random subdomains or alphanumeric strings (e.g., a1b2c3d4.example[.]com)
  • Beaconing intervals between 5-15 minutes during initial deployment, increasing to 30-60 minutes post-encryption
  • HTTP POST requests with encrypted payloads to paths like /gate.php, /api/v1/, or /submit

Data Exfiltration Patterns:

  • Large outbound transfers via RDP, SMB, or FTP protocols preceding encryption
  • Compression of stolen data using 7z.exe, WinRAR.exe, or built-in Windows utilities
  • Use of living-off-the-land tools like curl.exe or bitsadmin.exe for data transfer
  • Connections to uncommon ports (8888, 4444, 8443) masquerading as legitimate services

Detection Signatures:

  • SSL certificates with unusual issuer organizations or very recent creation dates
  • User-Agent strings mismatching the claimed browser version or containing anomalies
  • Repeated failed authentication attempts followed by successful connections
  • Unusual traffic patterns to TOR exit nodes or bulletproof hosting providers

Monitor for network scanning activity from infected hosts, particularly port 445 (SMB) and 3389 (RDP) connections to internal systems.

File System Artifacts

Akira creates several identifiable artifacts during execution:

Encryption Artifacts:

  • Files appended with .akira extension (primary indicator)
  • Ransom notes named akira_readme.txt or AKIRA_DECRYPT.txt in each encrypted directory
  • Temporary batch files in %TEMP% or %APPDATA% with names like encrypt.bat, shadow.bat, or random alphanumeric strings

Malware Components:

  • Executables dropped to %APPDATA%\<random>\ or %LOCALAPPDATA%\Temp\ directories
  • DLL sideloading through legitimate signed applications placed in unusual locations
  • Configuration files in JSON or XML format containing encryption keys, C2 addresses, and target lists
  • Log files recording encryption progress, typically in %TEMP% with .log extension

File Characteristics:

  • Encrypted files maintain original timestamps but show altered “last modified” times
  • Ransom note files are typically 2-5KB with specific formatting including contact email addresses
  • Malware executables range from 200KB to 2MB, often packed or obfuscated
  • Look for files created within minutes of each other across multiple directories

Check for recently created scheduled task XML files in C:\Windows\System32\Tasks\ with suspicious actions or triggers.

Registry and Persistence Mechanisms

Akira employs multiple persistence mechanisms to maintain access:

Registry Modifications:

  • Run key entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Services creation: HKLM\System\CurrentControlSet\Services\<malicious service name>
  • Image File Execution Options (IFEO) debugging: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target executable>
  • Disabling security tools: Modifications to HKLM\Software\Policies\Microsoft\Windows Defender or similar paths
  • Safe boot disablement: HKLM\System\CurrentControlSet\Control\SafeBoot modifications

Persistence Methods:

  • Scheduled tasks created via schtasks.exe /create with triggers for system startup or user logon
  • Windows service installation using sc.exe create with display names mimicking legitimate services
  • Startup folder shortcuts: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
  • COM object hijacking through registry modifications
  • WMI event subscriptions for persistence

Defense Evasion:

  • Registry keys modifying Windows Defender exclusions: HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths
  • Disabling Windows Error Reporting: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Disabled
  • Clearing event logs through registry or direct API calls

Monitor registry changes for unusual service creations, particularly those with random names or descriptions containing typos or unusual character combinations.

YARA Rule Guidance

When creating YARA rules for Akira detection, focus on these characteristics:

String Patterns:

  • Ransom note content: “akira”, “your files are encrypted”, “contact us”, specific email domains used by the group
  • File extension declarations within binary: “.akira”, “akira_readme.txt”
  • Encryption-related strings: “AES”, “RSA”, “Crypt”, “Encrypt”, “Decrypt”
  • Process names targeted for termination: “sql”, “backup”, “vss”, “mysql”, “oracle”
  • Anti-analysis checks: “VirtualBox”, “VMware”, “Wireshark”, “ProcessHacker”

Structural Elements:

  • Import Address Table (IAT) containing cryptographic APIs: CryptEncrypt, CryptDecrypt, CryptGenKey
  • Resource sections containing configuration data or additional payloads
  • Use of custom encryption algorithms or implementations
  • Code sections with high entropy indicating packing or obfuscation
  • Network-related imports: WinHttpConnect, InternetOpenA, socket

Byte Patterns:

  • Magic bytes or file signatures specific to Akira variants
  • XOR-encoded strings with consistent keys across samples
  • Specific sequences in the .text section related to file traversal and encryption
  • Patterns in API call sequences, particularly around file operations and network communication

Focus on combinations of these elements rather than single indicators, as Akira operators frequently modify superficial characteristics between campaigns. Consider creating rules that detect the underlying encryption logic or configuration parsing routines, which change less frequently than strings or obfuscation methods.

For current samples, refer to: Current Samples For updated indicators of compromise: Current IOCs For general information: Akira Overview

Related

← Akira Overview Removal Guide Incident Response Protection Guide IOCs Detection Rate All Families