Ransomware

Threat Assessment: Howling Scorpius (Akira Ransomware)

15 min read

Executive Summary

Emerging in early 2023, the Howling Scorpius ransomware group is the entity behind the Akira ransomware-as-a-service (RaaS), which has consistently ranked in recent months among the top five most active ransomware groups. Its double extortion strategy significantly amplifies the threat it poses. Unit 42 researchers have been monitoring the Howling Scorpius ransomware group over the past year.

Howling Scorpius targets small to medium-sized businesses in North America, Europe and Australia, across various sectors. Affected industries include education, consulting, government, manufacturing, telecommunications, technology and pharmaceuticals.

Our research reveals that Howling Scorpius maintains and operates encryptors for Windows and Linux operating systems. We identified variants specifically designed for ESXi hosts. In addition, our findings have shown that this group is actively upgrading and enhancing its tool set, thus posing a greater risk for organizations.

Palo Alto Networks customers are better protected against Akira ransomware from the Howling Scorpius ransomware group through the following products and services:

Cortex XDR and XSIAM
Cloud-Delivered Security Services for the Next-Generation Firewall, such as Advanced WildFire
Cortex Xpanse

The Unit 42 Incident Response team has responded to several Howling Scorpius ransomware incidents since the group first emerged in 2023. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	Cybercrime, Ransomware

Howling Scorpius Overview

First observed in March 2023 [PDF], Akira is a RaaS group we track as Howling Scorpius. This group employs a double extortion strategy, exfiltrating critical data from a network before executing its encryption process. This double extortion tactic allows the group to leak stolen data even if victims recover their systems without paying, maximizing the pressure to comply.

Howling Scorpius operates a Tor-based leak site for Akira ransomware. The group uses the site to list victims and exfiltrate stolen data if they refuse to comply with ransom demands.

The Akira leak site has a retro-green look. Howling Scorpius also operates a separate Tor-based negotiation site, which victims can access using a dedicated password provided by the group. Figure 1 shows a screenshot of the Akira ransomware leak site.

Screenshot of a computer screen displaying a message from a hacker group named "AKIRA" on a dark-themed interface with green text. The message warns the user about a cyber incident and provides instructions for mitigating damage, and mentions commands available in the interface. — Figure 1. Screenshot of the Akira Ransomware leak site in a Tor browser, from November 2024.

The Akira ransomware leak site displays a text-based console with a list of commands. The leaks command returns a list of victims who did not pay and includes links to download .torrent files. Viewers can then use these .torrent files to download the released data for those victims who did not pay their ransom.

This console also includes a news command that lists all compromised companies that it says date back as far as April 2023. The site describes the news command as “upcoming data releases,” and the results end with the most recent victims.

The group primarily targets small to medium-sized businesses across various regions and industries.

Targeted Regions

While Howling Scorpius has targeted organizations globally since 2023, the U.S. has emerged as the most affected country, according to Akira leak site data. Figure 2 highlights the top 10 affected countries based on this leak site data from March 2023-October 2024.

Figure 2. A column chart showing the countries impacted by Howling Scorpius from March 2023-October 2024.

Targeted Industries

Akira leak site data shows the group has impacted several industries, including manufacturing, professional and legal services, wholesale, retail and construction. Figure 3 shows the top 10 industries affected by this ransomware from March 2023-October 2024.

Bar chart showing the count of Akira ransomware incidents by industry. From highest to lowest: Manufacturing with 74, Financial & Legal Services with 39, Construction with 37, Wholesale and Retail with 36, High Technology with 36, Education with 26. Agriculture with 17. Media and Entertainment with 15, Transportation and Logistics with 14 and Telecoms with 12. — Figure 3. The distribution of the top 10 sectors affected by Howling Scorpius from March 2023-October 2024.

Technical Analysis of the Akira Ransomware Attack Lifecycle

Below is a technical analysis of Howling Scorpius operations mapped to the different stages of a cyberattack’s lifecycle.

Initial Access

Howling Scorpius affiliates employ various methods to gain initial access to organizations. These include exploiting vulnerable virtual private network (VPN) services that lack multi-factor authentication (MFA) using valid accounts, often purchased through initial access brokers on the dark web.

Affiliates also target external-facing services like Remote Desktop Protocol (RDP), and they conduct spear phishing campaigns.

Figure 4 shows an alert raised by Cortex XDR for an example of a remote service creation. This specific alert involves using a service component of PsExec named PSEXESVC.exe to run a process from a remote system.

A screenshot from Cortex XDR displaying a service start notification by a remote host, using PSExec.exe from the C:\WINDOWS directory, and statistics about its remote service activity listed under XDR Analytics BIOC. — Figure 4. Cortex XDR alert for remote service creation from an uncommon source.

The security community has documented Howling Scorpius exploiting vulnerabilities in Cisco products, such as CVE-2020-3259 and CVE-2023-20269.

Credentials Access

Local Credential Access Techniques

Howling Scorpius affiliates employ various credential access techniques to extract credentials for privilege escalation. Mimikatz and LaZagne are their primary tools.

Affiliates also often create a MiniDump of the LSASS process memory leveraging comsvcs.dll. Figure 5 shows an example of Cortex XDR detecting an example of comsvcs.dll used for this type of memory dump.

Alert icon with an "A" inside a pink triangle, indicating a security notification about a memory dump performed using comsvcs.dll on Lsass.exe, commonly associated with unauthorized access attempts. Below the icon is the file name "rundll32.exe" and a command line path for further technical details. — Figure 5. Cortex XDR detection alert of comsvcs.dll MiniDump of LSASS.

Kereberoasting

Howling Scorpius affiliates employ the Kerberoasting attack to achieve control over service accounts and exploit credentials stored in memory.

Extracting Credentials for Domain Control

The group’s affiliates focus on extracting credentials from the Active Directory database to pursue comprehensive domain control. They copy the SYSTEM registry hive and NTDS.dit file from the domain controller (DC) to obtain a complete listing of user accounts and their corresponding domain password hashes.

Exploiting Compromised vCenter Instances

In cases where affiliates compromise a vCenter instance, they will perform the following activities:

Shutting down the DC's virtual machine (VM)
Copying the DC's Virtual Machine Disk (VMDK) files to another VM they created beforehand
Extracting the NTDT.dit and SYSTEM registry hive files (as reported by Rewterz)

Persistence

Howling Scorpius affiliates created new domain accounts to establish persistence. These accounts give these affiliates another form of access that does not require them to deploy tools or malware on the targeted systems. In addition, CISA reported [PDF] that the affiliates created new administrative domain accounts named itadm.

Discovery and Lateral Movement

Howling Scorpius affiliates' lateral movement within compromised networks primarily involves exploiting remote services such as Remote Desktop Procol (RDP) and Server Message Block (SMB). The group also employs remote service creation and Windows Management Instrumentation (WMI) to further its reach.

These affiliates use network scanning tools like NetScan and Advanced IP Scanner to map the network and identify potential critical assets in the targeted organization for lateral movement. They also execute PowerShell and Windows Net Commands to query Active Directory for information on additional users and administrators.

Defense Evasion

Bring Your Own Driver

Howling Scorpius affiliates use tools that abuse the Zemana antimalware driver to terminate antimalware-related processes. Figure 6 below shows information from an alert raised in Cortex XDR for attempting to create the malicious Zemana driver.

Screenshot displaying a security alert from the Cortex XDR Agent. The alert is categorized as 'Behavioral Threat Protection' and details a 'Malicious driver creation attempt.' — Figure 6. Cortex XDR alert for the attempt to use the Zemana antimalware driver.

Anti Virus Disablement

Affiliates have also tried to disable Windows Defender Real-Time Protection using PowerShell, and they tried to uninstall the EDR agents installed on infected systems.

Bring Your Own VM

Affiliates sometimes create their own VMs. Within these VMs, they disable security tools. They then mount the hypervisor host's storage drives onto the VM, shutting down any processes using those files to unlock running VM files. After successfully mounting the drives and unlocking all targeted files, they execute the ransomware within the new VM (as reported by CyberCX), bypassing the host's security tools.

Exfiltration

Howling Scorpius affiliates usually exfiltrate data from compromised hosts using WinRAR and a combination of WinSCP, RClone and FileZilla, through the File Transfer Protocol (FTP). Below is an example of a data exfiltration attempt we observed:

"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . "[REDACTED]\Company\[REDACTED]" [REDACTED]\Company\HR "[REDACTED]\Company\Human Resources Management - HR"

1	"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . "[REDACTED]\Company\[REDACTED]" [REDACTED]\Company\HR "[REDACTED]\Company\Human Resources Management - HR"

Akira Ransomware Encryptors

This section details the different encryptors for Akira ransomware that Howling Scorpius uses for Windows and Linux operating systems.

Ransom Note

Upon successful encryption, Akira ransomware encryptors create a ransom note named akira_readme.txt that provides victims instructions for how to interact with the group. This file includes links to both the leak site and the negotiation site.

The file also contains a unique code that victims must enter on the negotiation site to facilitate communication with the attackers and potential ransom discussions. Figure 7 shows an example of the akira_readme.txt file.

Screenshot of a cyberattack ransom demand note displayed on a computer screen, featuring a block of text with various instructions and threats, including a link and an unique code for further actions. Two red boxes highlight the leak site address and then the negotiation site and the end user's unique code, with redactions as necessary. — Figure 7. An example of the akira_readme.txt file content.

Windows Variant

Execution

Upon execution, the Windows variant of the Akira ransomware encryptor will attempt to delete shadow copies using the following PowerShell command:

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

Command-Line Arguments

The Windows variant of the Akira ransomware encryptor uses the following command-line arguments:

-p\--encryption_path – Contains the root directory of the encryption process
-s\--share_file – Contains the targeted network drive path
-n\--encryption_percent – Controls the amount of data to be encrypted within each file
--fork – Creates a child process for the encryption process
-l – Writes the list of drives into the log file
-localonly – Prevents the encryption of remote drives
-e/–exclude – Contains files to exclude from the encryption process

Figure 8 below shows the Windows encryptor for the Akira ransomware detected and prevented by Cortex XDR.

Figure 8. Windows encryptor for Akira ransomware detected by Cortex XDR.

Encryption

Akira ransomware’s Windows variant uses a hybrid approach to encrypt data. It encrypts the content of the files using the ChaCha20 algorithm.

The threat then encrypts the ChaCha20 key using a hard-coded RSA public key. The encryptor supports full and partial encryption, controlled through the aforementioned command-line parameter.

Avast published a decryptor in June 2023 exploiting a vulnerability in Akira's encryption scheme. However, CyberCX found a sample in VirusTotal that revealed that Howling Scorpius had patched this vulnerability within three days of its public disclosure.

In February 2024, we identified updates in the Howling Scorpius codebase. These updates included implementing support for the KCipher2 algorithm alongside ChaCha20. Encrypted files would use the .akira extension.

The list of the targeted file extensions and excluded directories the Howling Scorpius Windows encryptor uses can be found in Appendix A.

The Megazord Variant

In August 2023, a new strain of ransomware called Megazord appeared. This strain, written in Rust, has a ransom note with content similar to that of Akira ransomware and points to the same negotiation site. This indicates Howling Scorpius is also the same group behind Megazord.

Besides being written in Rust, Megazord variants differ from Akira encryptors by the following characteristics:

Using a different file extension for encrypted files – .powerranges
Using a different name for the ransom note – powerranges.txt

In addition, Megazord encryptors execute several commands to terminate and stop a list of services and processes that could affect the encryption process. For the complete list of commands executed by Megazord encryptors, please view Appendix B.

The Megazord strain has a new layer of protection, requiring a password as an execution condition (defined by the –id command-line argument). Figure 9 demonstrates how Cortex XDR detects and prevents Megazord.

Figure 9. Megazord encryptor detected by Cortex XDR.

Updated Version

While looking for additional Megazord encryptors, we came across two samples that were compiled in March 2024, which had two new command-line arguments affecting the execution flow of the encryptor. The command-line argument –proc allows the attackers to turn off the termination of processes and services, and the –dirs command-line argument allows the attackers to ignore blocklisted directories.

Figure 10 shows the updated help menu from a Megazord sample.

Screenshot of a command-line interface tool named 'megazord' displaying its usage, options, and version number. The options include various settings like path starting, thread number, error logging, process percent, and directory skipping. — Figure 10. Megazord variant help menu.

The Possibility of Different Operators Sharing the Megazord Ransomware

Another unique sample we found differs primarily by its ransom note. This new ransom note raises the possibility that Megazord might not be exclusive to Howling Scorpius, although we cannot confirm this yet.

The new ransom note contains distinct language and a different means of communicating via Telegram, which hints at the involvement of a different threat actor. Figure 11 shows the new ransom note.

The image displays a text of a ransomware threat message stating that the sender has paralyzed the recipient's systems and offers two options: contacting authorities or resolving the problem privately. The message implies possession of the recipient's data and confidentiality unless contact is not established. Some of the information is redacted. — Figure 11. The new Megazord ransom note.

Linux/ESXi Variant

Based on the internal strings and naming conventions we observed in the Linux/ESXi variants of Akira ransomware, we assess that these samples were initially designed to run on ESXi systems. Some samples we encountered executed ESXCLI commands, strengthening our assessment. Figure 12 shows an example of an internal string found in one of the Linux/ESXi variants.

A screenshot of a line of code. A string in white and green characters on a black background. — Figure 12. An example of an internal string of Linux/ESXi samples.