Ransom.Win64.AKIRA.C

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {malware filepath}\Log-{current date and time}.txt → contains the malware execution logs
• {encrypted directory}\{random}.arika → deleted afterwards

It adds the following processes:

• powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

Other Details

This Ransomware does the following:

• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption

It accepts the following parameters:

• -l → logs all the logical drives in the system
• -p, --encryption_path → specify a directory to be encrypted
• -s, --share_file → specify a shared folder to be encrypted
• -n, --encryption_percent → specify the percentage of data in each file that should be encrypted
• -localonly → used to only encrypt the affected system
• -e, --exclude → specify a directory that will not be encrypted
• -dellog → disables the malware logging

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• Full Encryption:
  • .4dd
  • .4dl
  • .abcddb
  • .abs
  • .abx
  • .accdb
  • .accdc
  • .accde
  • .accdr
  • .accdt
  • .accdw
  • .accft
  • .adb
  • .ade
  • .adf
  • .adn
  • .adp
  • .alf
  • .arc
  • .ask
  • .avdx
  • .avhd
  • .bdf
  • .bin
  • .btr
  • .cat
  • .cdb
  • .ckp
  • .cma
  • .cpd
  • .dacpac
  • .dad
  • .dadiagrams
  • .daschema
  • .db
  • .db-shm
  • .db-wal
  • .db2
  • .db3
  • .dbc
  • .dbf
  • .dbs
  • .dbt
  • .dbv
  • .dbx
  • .dcb
  • .dct
  • .dcx
  • .ddl
  • .dlis
  • .dp1
  • .dqy
  • .dsk
  • .dsn
  • .dtsx
  • .dxl
  • .eco
  • .ecx
  • .edb
  • .epim
  • .exb
  • .fcd
  • .fic
  • .fm5
  • .fmp
  • .fmp12
  • .fmpsl
  • .fol
  • .fp3
  • .fp4
  • .fp5
  • .fp7
  • .fpt
  • .frm
  • .gdb
  • .grdb
  • .gwi
  • .hdb
  • .his
  • .hjt
  • .ib
  • .icg
  • .icr
  • .idb
  • .ihx
  • .ini
  • .iso
  • .itdb
  • .itw
  • .jet
  • .jtx
  • .kdb
  • .kdb
  • .kexi
  • .kexic
  • .kexis
  • .lgc
  • .lut
  • .lwx
  • .maf
  • .maq
  • .mar
  • .mas
  • .mav
  • .maw
  • .mdb
  • .mdf
  • .mdn
  • .mdt
  • .mpd
  • .mrg
  • .mud
  • .mwb
  • .myd
  • .ndf
  • .nnt
  • .nrmlib
  • .ns2
  • .ns3
  • .ns4
  • .nsf
  • .nv
  • .nv2
  • .nvram
  • .nwdb
  • .nyf
  • .odb
  • .oqy
  • .ora
  • .orx
  • .owc
  • .p96
  • .p97
  • .pan
  • .pdb
  • .pdm
  • .pnz
  • .pvm
  • .qcow2
  • .qry
  • .qvd
  • .raw
  • .rbf
  • .rctd
  • .rod
  • .rodx
  • .rpd
  • .rsd
  • .sas7bdat
  • .sbf
  • .scx
  • .sdb
  • .sdc
  • .sdf
  • .sis
  • .spq
  • .sql
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .subvol
  • .te.tps
  • .temx
  • .tmd
  • .trc
  • .trm
  • .udb
  • .udl
  • .usr
  • .v12
  • .vdi
  • .vhd
  • .vhdx
  • .vis
  • .vmcx
  • .vmdk
  • .vmem
  • .vmrs
  • .vmsd
  • .vmsn
  • .vmx
  • .vpd
  • .vsv
  • .vvv
  • .wdb
  • .wmdb
  • .wrk
  • .xdb
  • .xld
  • .xmlff
• Partial Encryption:
  • Files with other extensions

It avoids encrypting files with the following strings in their file path:

• $Recycle.Bin
• $RECYCLE.BIN
• Boot
• ProgramData
• System Volume Information
• temp
• thumb
• tmp
• Trend Micro
• Windows
• winnt

It appends the following extension to the file name of the encrypted files:

• .akira

It drops the following file(s) as ransom note:

• {encrypted directory}\akira_readme.txt
  

It avoids encrypting files with the following file extensions:

• .dll
• .exe
• .lnk
• .msi
• .sys