Akira Ransomware Removal Guide

Signs of Infection

Akira ransomware infection manifests through distinct system and network artifacts. Immediate identification is critical for containment.

File System Artifacts:

• Files across the system, particularly in user document directories, network shares, and backup locations, will have the .akira extension appended to their original filenames (e.g., document.pdf.akira).
• A ransom note named akira_readme.txt is dropped in affected directories. This file contains payment instructions and contact details, typically a Tor negotiation site.
• Look for suspicious executable files in temporary directories (%TEMP%, C:\Windows\Temp\) with random alphanumeric names. Akira may also drop or use legitimate system tools like PsExec.exe or vssadmin.exe for lateral movement and shadow copy deletion.
• Check for the creation of new, hidden files or directories, which may serve as staging areas for the ransomware payload.

Process & System Behavior:

• Unusual spikes in CPU or disk activity from processes with nonsensical or misspelled names mimicking system processes.
• The ransomware attempts to stop security services and processes related to backups, databases, and security software using commands like net stop or sc config.
• Use of the Volume Shadow Copy Service deletion command: vssadmin delete shadows /all /quiet.
• Failed attempts to access administrative shares or services from unauthorized user contexts.

Network Indicators:

• Outbound connections to suspicious IP addresses or domains associated with Akira command-and-control (C2) servers. These often use non-standard ports.
• Increased network traffic to internal file servers or backup appliances preceding encryption.
• Attempts to communicate with known ransomware affiliate infrastructure, often via HTTPS or custom protocols on ports 443, 8080, or 8443.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to prevent spread and data loss.

1. Isolate the Affected System(s):

   • Disconnect the infected machine from the network immediately, both wired and wireless. If a host-based firewall is accessible, block all inbound and outbound traffic.
   • If the infection is on a critical server, power it down if safe to do so, but note that this may destroy volatile forensic data. Isolating via network controls is preferable when possible.
   • Identify and isolate other systems that have recently communicated with the infected host, as Akira spreads via compromised credentials and lateral movement tools.

2. Identify and Terminate Malicious Processes:

   • On the isolated machine, use a trusted command-line tool or process explorer from a clean USB drive if necessary.
   • Look for and terminate processes related to the ransomware payload. Common indicators include processes with high file system I/O, names located in %TEMP%, or names that are random strings.
   • Do not terminate processes related to critical system functions. Focus on unknown executables.

3. Secure Credentials:

   • Priority 1: Immediately reset passwords for any local or domain administrative accounts known to be stored on or used from the compromised system. Assume credentials are compromised.
   • Priority 2: Revoke and reissue Kerberos Ticket Granting Tickets (TGTs) for all potentially affected accounts by forcing a Kerberos reset in the domain environment.
   • Priority 3: Audit recent logon events for the compromised host and other high-value targets to identify lateral movement attempts.

4. Preserve Evidence:

   • Take forensic images of memory (if possible) and disk from a sample of infected systems before remediation.
   • Capture network traffic logs (PCAPs) from switches or firewalls showing communication to and from the infected host.
   • Do not delete the ransom note or encrypted files yet, as they may be needed for analysis.

Manual Removal Process

This process should be performed on an isolated system, preferably from a clean boot environment or safe mode with networking disabled.

Step 1: Terminate Malicious Processes

1. Open the Task Manager or a trusted process management tool.
2. Sort processes by CPU, Memory, or Disk I/O. Identify any unknown processes, especially those with random names or located in temporary folders.
3. Right-click and select “End task” or use the command taskkill /f /im [ProcessName].exe for each malicious process.

Step 2: Remove Persistence Mechanisms Akira commonly establishes persistence via the Windows Registry Run keys or scheduled tasks.

1. Open the Registry Editor (regedit).
2. Navigate to and inspect the following keys for suspicious entries:
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
3. Delete any entries pointing to suspicious files in %TEMP%, %APPDATA%, or unfamiliar locations.
4. Open Task Scheduler and review recently created tasks. Look for tasks with random names or triggers set to run at system startup/user logon. Delete any tasks associated with the malware.

Step 3: Delete Dropped Files

1. Navigate to and delete the ransom note file (akira_readme.txt).
2. Clear temporary directories:
   • Open Run (Win + R), type %TEMP% and delete all contents.
   • Also clear C:\Windows\Temp\.
3. Search for and delete the primary ransomware executable. It is often found in %APPDATA%, %LOCALAPPDATA%, or the root of the C:\ drive with a random name. Use file creation timestamps to aid identification.
4. Remove any dropped legitimate tools (like PsExec.exe) if they were not previously on the system.

Step 4: Clean Registry Entries (Advanced) Beyond persistence keys, check for other modifications.

1. In Registry Editor, check HKEY_CLASSES_ROOT for any new file associations related to the .akira extension and remove them.
2. Search the registry for the names of identified malicious files or C2 domains and remove any matching entries. Exercise extreme caution when deleting registry keys.

Verifying Removal

After manual cleanup, confirm the system is clean before reconnecting it to the network.

1. System and Log Scans:

   • Perform a full system scan with an updated endpoint detection and response (EDR) solution or anti-malware tool.
   • Review Windows Event Logs, specifically Security (Event ID 4688 for process creation) and System logs, for any recurring malicious activity in the minutes after cleanup.
   • Use a dedicated rootkit scanner to check for kernel-level persistence.

2. File System Verification:

   • Confirm no new files with the .akira extension are being created.
   • Verify that the ransomware executable and associated files in temporary folders do not reappear.
   • Monitor critical directories (like network shares) for unexpected file modification events.

3. Network Traffic Monitoring:

   • Before full network reintegration, reconnect the host to a isolated, monitored VLAN segment.
   • Use a network monitoring tool or SIEM platform to watch for any outbound connection attempts to known Akira C2 IPs or domains (refer to Current Akira IOCs).
   • Ensure there is no anomalous traffic on common ransomware ports (e.g., 443, 8080, 8443) to external IPs.

4. Persistence Check:

   • Reboot the system and check the Run registry keys and scheduled tasks again to ensure malicious entries have not been recreated.

Post-Removal Security Hardening

To prevent reinfection and strengthen defenses against Akira and similar ransomware:

1. Attack Vector Mitigation:

   • Credential Hygiene: Enforce strong, unique passwords and implement multi-factor authentication (MFA) for all administrative accounts, VPN access, and critical services (e.g., RDP, email). Use a privileged access management solution.
   • Patch Management: Prioritize patching for known vulnerabilities in VPN appliances (like Fortinet, Cisco), Microsoft Exchange, and other internet-facing services that Akira actors exploit for initial access.
   • Restrict Lateral Movement: Implement network segmentation to limit traffic between workstations and servers. Restrict the use of administrative shares and tools like PsExec to specific administrative jump hosts.

2. Configuration Changes:

   • Disable unnecessary services and protocols, especially Server Message Block (SMB) v1 and legacy RPC services where possible.
   • Harden endpoints by restricting PowerShell execution through Constrained Language Mode and logging all PowerShell script block activity.
   • Use application whitelisting or a robust EDR solution to prevent execution of binaries from %TEMP%, %APPDATA%, and other high-risk directories.

3. Monitoring & Policy Updates:

   • Create specific SIEM alerts for the deletion of Volume Shadow Copies (vssadmin delete shadows), mass file renames to .akira, and the creation of akira_readme.txt files.
   • Update email filtering policies to block attachments commonly used for phishing (.iso, .lnk, .js) and enable macro security controls in Office documents.
   • Implement and test a robust, immutable backup strategy. Ensure backups are stored offline or in a logically separated, write-protected environment and are tested regularly for restoration.

4. User Awareness:

   • Conduct regular training focused on identifying phishing attempts, which are a common initial vector for Akira.
   • Establish and communicate clear reporting procedures for suspected security incidents.

For more information on Akira’s behavior, see the Akira Overview. For the latest indicators, consult Current Akira IOCs. To understand how security products detect this threat, review the Detection Rate.