Ransomware-As-A-Service (RAAS) malware changing tactics – again

Threat analysts at the cyber security firm Barracuda have noted a shift in tactics employed by the Akira ransomware-as-a-service operation. This shift involves moving away from custom malware tools to utilising living-off-the-land techniques. Barracuda’s Managed XDR team recently mitigated an Akira ransomware attack that attempted to evade detection by exploiting existing tools within the target’s infrastructure. Instead of deploying its own known arsenal, the attackers disguised their malicious activities as routine IT operations.

Akira has been known to target Australian organisations and has recently exploited a vulnerability in SonicWall firewall devices. This latest development in its tactics enhances the threat posed by Akira. In a specific instance observed by Barracuda, the threat actor strategically chose to attack the victim’s network at 4 am on a public holiday, a time when the company was less active, thus masking their malicious activities. The Akira affiliate gained access to a domain controller and then pivoted to a version of the Datto remote monitoring tool already installed on the controller. The attackers used the Datto RMM to remotely push and execute a PowerShell script from its Temp folder, employing an ‘execution policy bypass’ to facilitate their actions.