Akira Ransomware Protection Guide

Attack Vectors to Block

Akira ransomware primarily enters networks through these vectors. Implement layered controls to block each method.

Phishing Emails with Malicious Attachments

• Akira distributors use phishing emails containing weaponized documents (PDF, Word, Excel) or archive files (ZIP, RAR) that download and execute the ransomware payload. Block at the email gateway by:
  • Quarantining emails with executable attachments (.exe, .scr, .js, .vbs, .ps1) or archive files containing executables.
  • Enabling real-time attachment sandboxing for all incoming documents and archives.
  • Blocking emails from suspicious or newly registered domains with low reputation scores.

Exploitation of Public-Facing Vulnerabilities

• Akira operators scan for and exploit vulnerabilities in VPN appliances (especially those without multi-factor authentication), remote desktop services (RDP), and other internet-facing systems. Block by:
  • Implementing a vulnerability management program to patch critical external-facing systems within 48 hours of update availability.
  • Placing all remote access services behind a VPN gateway with strict MFA enforcement and disabling direct RDP/SSH access from the internet.
  • Using a web application firewall (WAF) to block exploit attempts against public web servers.

Compromised Credentials & Lateral Movement

• Following initial access, attackers use stolen local administrator credentials and tools like PsExec for lateral movement. Block by:
  • Implementing Credential Guard on Windows endpoints to protect credential hashes.
  • Restricting lateral movement by enforcing network segmentation and firewall rules that block SMB (ports 445, 139) and RPC traffic between workstation subnets.
  • Deploying a privileged access management (PAM) solution to manage and monitor local administrator account usage.

Email Security Configuration

Configure your email security gateway with these specific rules to intercept Akira phishing attempts.

Attachment Filtering Policy

1. Create a rule to block the following attachment types outright:
   • .exe, .scr, .msi, .bat, .cmd, .ps1, .vbs, .js, .jse, .wsf
2. Create a rule to quarantine for inspection the following archive and document types, especially if they contain macros or embedded objects:
   • .zip, .rar, .7z, .iso, .img
   • .pdf, .doc, .docm, .docx, .xls, .xlsm, .xlsx
   • Enable and configure dynamic file analysis (sandboxing) for all quarantined attachments to detonate and analyze behavior before release.

URL Defense & Link Rewriting

1. Enable time-of-click URL analysis for all links within emails. This checks the destination reputation at the moment the user clicks.
2. Implement safe link rewriting so all URLs pass through your secure proxy for logging and categorization checks.
3. Block access to URL categories associated with malware hosting: “Malware,” “Newly Registered Domains,” “Parked Domains,” and “Suspicious.”

Sender Policy & Impersonation Protection

1. Enforce strict DMARC, DKIM, and SPF policies to reject emails that fail domain alignment checks.
2. Configure impersonation rules to flag or quarantine emails where the display name mimics an internal executive or vendor but originates from an external domain.
3. Set a rule to tag all emails originating from outside your organization with a prominent external warning banner.

Endpoint Protection Tuning

Configure your endpoint detection and response (EDR) solution and application controls to detect and prevent Akira execution and post-exploitation activity.

Behavioral Detection Rules Create or enable detection rules for these specific Akira behaviors:

• Ransomware File Activity: Detect processes that rapidly encrypt files across multiple directories, especially those modifying file extensions to .akira or other new, consistent extensions. Monitor for high volumes of file I/O operations (read/write/delete) in a short timeframe.
• Volume Shadow Copy Deletion: Create a high-severity alert for any process that executes command lines containing vssadmin delete shadows, wbadmin delete catalog, or bcdedit commands used to disable recovery.
• Suspicious Process Chains: Alert on scripting engines (powershell.exe, wscript.exe, cscript.exe) spawning from Office applications (winword.exe, excel.exe) or archive utilities, which is indicative of macro or script-based payload delivery.

Application Control / Allowlisting

1. Deploy a robust application control policy in “Audit” mode initially, then transition to “Allow” mode.
2. Create a default-deny rule for executable paths commonly abused by malware:
   • %AppData%, %LocalAppData%, %Temp%, C:\Windows\Temp\
   • Allow execution only from C:\Program Files, C:\Program Files (x86), and other authorized, write-protected directories.
3. Explicitly block execution of living-off-the-land binaries (LOLBins) for non-administrative users where not required for business, such as:
   • powershell.exe (or restrict with constrained language mode)
   • certutil.exe (when used with -urlcache or -verifyctl flags for download)
   • wmic.exe
   • mshta.exe

Script Execution Restrictions

1. In Group Policy or your endpoint management console, set the default behavior for script file execution:
   • Disable Windows Script Host (wscript.exe and cscript.exe) via GPO for standard user workstations if not required.
   • Configure PowerShell logging (ScriptBlock and Module logging) and send logs to your SIEM platform.
   • Set the PowerShell execution policy to Restricted or RemoteSigned via GPO.

Network-Level Defenses

Block Akira’s command-and-control (C2) communication and prevent payload downloads at the network perimeter.

DNS Filtering & Sinkholing

1. Configure your internal DNS resolvers or secure DNS service to block requests to known malicious and suspicious categories:
   • Malware, Botnets, Phishing, Newly Registered Domains, Dynamic DNS Providers.
2. Integrate threat intelligence feeds containing Akira’s current C2 domains and IPs (see Current IOCs) into your DNS filtering solution for proactive blocking.
3. Log all DNS queries and set alerts for endpoints making repeated queries to domains that resolve to non-RFC 1918 IP addresses but receive NXDOMAIN responses, which can indicate DGA (Domain Generation Algorithm) activity.

Web Proxy / Gateway Filtering

1. Enforce SSL/TLS inspection for all outbound traffic to categories like “Unknown,” “Suspicious,” and “Newly Registered Domains” to inspect encrypted C2 traffic.
2. Block user access to file-sharing and free web-hosting services (e.g., Pastebin, anonymous file upload sites) commonly used for second-stage payload downloads.
3. Create an outbound firewall rule to block common C2 ports used by Akira variants, including but not limited to ports 80, 443, 8080, and 8443, when destined for IP addresses on threat intelligence blocklists.

Internal Network Segmentation & Firewall Rules

1. Segment your network to restrict workstation-to-workstation communication. Workstations should only communicate with designated domain controllers, file servers, and application servers.
2. Implement egress firewall rules on all endpoints (via host-based firewall) to deny outbound connections from non-browser processes to the internet, unless explicitly allowed for approved software updates.
3. Monitor for and alert on large volumes of SMB traffic (port 445) originating from a single host, which may indicate Akira attempting to encrypt files on network shares.

User Awareness Training Points

Incorporate these specific points into your security awareness program to help users recognize and avoid Akira delivery methods.

Spotting Akira Phishing Lures

• Urgent Financial Themes: Emails pressuring you to open an attachment related to an “invoice,” “payment notice,” “purchase order,” or “financial report” require extra scrutiny. Verify via a known, separate contact method.
• Spoofed Senders: Train users to hover over sender email addresses to check the actual domain. Emails pretending to be from a colleague or manager but from a public domain (e.g., gmail.com, outlook.com) are a major red flag.
• Attachment Warnings: Reinforce that they must never enable macros in documents emailed from an external source. If a document asks to “Enable Content” or “Enable Editing,” it is likely malicious. Report such emails immediately.

Safe Handling of Files & Links

• Verify Before Opening: Instruct users to contact the supposed sender by phone or Teams/Slack if they receive an unexpected file, even from a known contact, to confirm legitimacy.
• Use Official Sources: Never download software, drivers, or “updates” from links provided in emails or pop-up ads. Always go directly to the vendor’s official website.
• Report Immediately: Make the process for reporting suspicious emails (using the “Report Phishing” button) or unexpected pop-ups simple and well-known. Emphasize that reporting is a positive action.

Recognizing Post-Infection Symptoms

• While prevention is key, users should be told to immediately report any of the following, which may indicate ransomware activity:
  • Unusual file extensions (like .akira) appearing on their files.
  • A ransom note file (often named README.txt, DECRYPT-FILES.html, etc.) appearing on their desktop or in folders.
  • Messages on their screen claiming their files are encrypted.
  • Disabled or non-functioning antivirus software.

For detailed information on Akira’s methods, refer to the Akira Overview. For the latest threat indicators to add to your security tools, consult the Current IOCs. Understanding its Distribution Methods will further strengthen your defensive posture.