Akira Ransomware Hijacks Victim’s Remote Management Tool
▼ Summary
– Barracuda’s Managed XDR team stopped an Akira ransomware attack that exploited legitimate tools like Datto RMM and backup agents to avoid detection.
– The attackers used a Living Off The Land (LOTL) approach, leveraging pre-installed tools to execute the attack without triggering security alerts for new software.
– They ran a PowerShell script with system privileges and bypassed safety checks, then placed disguised files in trusted directories and manipulated registry settings.
– The ransomware began encrypting files with the .akira extension after stopping the Volume Shadow Copy Service, but XDR’s custom encryption rule detected it instantly and isolated the device.
– The incident highlights the need for full XDR coverage across all systems to detect versatile threats early and the importance of post-attack steps like device isolation and threat rollbacks.
A recent incident involving Akira ransomware highlights a sophisticated cyberattack where hackers cleverly used an organization’s own trusted remote management software to carry out their scheme. Security experts from Barracuda successfully stopped the attack, which was designed to look like normal IT operations, thereby avoiding early detection. This case underscores the growing threat of attackers using legitimate tools already present in a network.
The assault began early in the morning, strategically timed during a national holiday when staffing might be lower. The criminals, using the adaptable Akira ransomware platform, first compromised a domain controller, a vital server that manages network access. This server happened to have the Datto remote monitoring and management (RMM) tool installed. The attackers employed a Living Off The Land (LOTL) strategy, meaning they leveraged existing, authorized software instead of introducing new, easily spotted malware.
They specifically targeted the RMM tool’s console, combining it with backup agents already on the system. This approach allowed them to execute their plan without triggering security warnings that typically accompany new software installations or unusual behavior.
The attack sequence started when the intruders used the Datto RMM to remotely deploy and run a PowerShell script. This script was executed with an ‘execution policy bypass,’ effectively dodging PowerShell’s standard security checks. Running with system-level privileges, the script gave the attackers total control over the server.
Soon after, encoded PowerShell commands activated other tools, and several unfamiliar executable files were placed within trusted Windows folders to avoid raising alarms. These files included disguised scripts, a utility for changing firewall settings, and another hidden in an unusual directory, likely a temporary storage area set up by the attackers. They also modified registry entries to help remain undetected and to disable certain security protections.
A few minutes before file encryption started, the attackers halted the Volume Shadow Copy Service (VSSVC.exe) on the domain controller. While this action can occur during standard IT maintenance, in ransomware incidents it often serves to delete backup copies that could be used for file recovery. At 8:54 a.m., the ransomware began encrypting files, appending the .akira extension to them.
Fortunately, the domain controller was secured with Barracuda Managed XDR Endpoint Security. The moment the first file was encrypted, a custom encryption detection rule in the XDR system identified the activity. This led to the immediate isolation of the compromised device, effectively stopping the attack in its tracks.
Important lessons from this event reveal that the attackers did not rely on advanced or novel malware. Instead, they exploited what was already available, the trusted Datto RMM and backup agents present on the network. Their actions closely mimicked legitimate backup processes, making the malicious activity appear routine. Akira ransomware demonstrates considerable ingenuity; its developers constantly change their methods, which helps them evade early detection since their actions don’t always match known threat patterns.
To defend IT systems against such adaptable threats, comprehensive XDR coverage that spans endpoints, networks, servers, and cloud environments is essential. This provides security teams with complete visibility and the capability to identify and stop threats as early as possible in the attack sequence.
After neutralizing the threat, the Barracuda Managed XDR team collaborated with the client to execute a recovery plan. This involved isolating all affected devices across the organization, initiating rollbacks for all identified threats, and conducting a thorough sweep for any remaining indicators of compromise (IOCs). The team confirmed the success of the rollbacks and the stability of endpoints, restarting devices as needed. They also reviewed and helped strengthen the customer’s endpoint security policies following the incident. All response actions were validated using security orchestration, automation, and response (SOAR) playbooks.
By integrating with endpoint detection and response (EDR) systems, Managed XDR improves visibility into isolated systems and offers practical guidance for mitigation. Proactive threat hunting, supported by Managed XDR, assists in locating and removing persistence mechanisms before attackers can establish a long-term foothold.
Key tools and methods utilized in this attack revolved around the misuse of legitimate software, PowerShell execution with elevated privileges, and the strategic disabling of system services to enable ransomware deployment.
(Source: ITWire Australia)
