Friend
Professional
- Messages
- 2,653
- Reaction score
- 863
- Points
- 113
How the virus manages to erase everything while the system is defenseless.
Experts have discovered two kinds of files of the main component of the Akira Ransomware: a smaller one (573 KiB) and a larger one (1.005 KiB). Both files are compiled using MSVC and do not contain obfuscation techniques. Once launched, the victim's device encrypts valuable files with a change in the extension to .akira. In each folder where encryption has occurred, a ransom akira_readme.txt file is created. The text of this file is identical for all versions of the application, except for the unique code for entering the chat with the attackers.
The program uses a powerful 4.096-bit encryption key, which is represented in base64 format in smaller files, and as a binary fragment in larger files. Before encrypting files, Akira attempts to delete the shadow copy snapshots on the device by running the PowerShell process through WMI. The command to delete shadow copies is static, which makes it easy to detect.
The program also uses the Restart Manager API, which allows you to close files that are currently occupied by other applications. This API makes it possible to disable processes that block access to files, which helps the ransomware to continue its work. It is important to note that Akira does not terminate API sessions, which allows you to save entries in the registry, providing valuable data for later analysis.
An interesting detail is the creation and deletion of temporary files with the .arika extension, which is probably a mistake made by the developers of the program. These files may represent intermediate data related to the encryption process, although their exact destination requires further research.
Security software should have no trouble detecting Akira, as the program leaves quite a lot of traces on the system, including static strings and the use of well-known APIs such as Restart Manager.
Source
Experts have discovered two kinds of files of the main component of the Akira Ransomware: a smaller one (573 KiB) and a larger one (1.005 KiB). Both files are compiled using MSVC and do not contain obfuscation techniques. Once launched, the victim's device encrypts valuable files with a change in the extension to .akira. In each folder where encryption has occurred, a ransom akira_readme.txt file is created. The text of this file is identical for all versions of the application, except for the unique code for entering the chat with the attackers.
The program uses a powerful 4.096-bit encryption key, which is represented in base64 format in smaller files, and as a binary fragment in larger files. Before encrypting files, Akira attempts to delete the shadow copy snapshots on the device by running the PowerShell process through WMI. The command to delete shadow copies is static, which makes it easy to detect.
The program also uses the Restart Manager API, which allows you to close files that are currently occupied by other applications. This API makes it possible to disable processes that block access to files, which helps the ransomware to continue its work. It is important to note that Akira does not terminate API sessions, which allows you to save entries in the registry, providing valuable data for later analysis.
An interesting detail is the creation and deletion of temporary files with the .arika extension, which is probably a mistake made by the developers of the program. These files may represent intermediate data related to the encryption process, although their exact destination requires further research.
Security software should have no trouble detecting Akira, as the program leaves quite a lot of traces on the system, including static strings and the use of well-known APIs such as Restart Manager.
Source
