misp-circl-feed/feeds/circl/misp/11879a3f-0ca4-491b-8774-d30496e66b34.json

918 lines
33 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "0",
"date": "2024-04-19",
"extends_uuid": "",
"info": "OSINT - #StopRansomware: Akira Ransomware",
"publish_timestamp": "1713537225",
"published": true,
"threat_level_id": "2",
"timestamp": "1713537157",
"uuid": "11879a3f-0ca4-491b-8774-d30496e66b34",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:ransomware=\"Akira\"",
"relationship_type": "attributed-to"
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"/etc/passwd and /etc/shadow - T1003.008\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Local Groups - T1069.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Groups - T1069.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:region=\"150 - Europe\"",
"relationship_type": "targets"
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:region=\"021 - Northern America\"",
"relationship_type": "targets"
},
{
"colour": "#064f00",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"",
"relationship_type": ""
},
{
"colour": "#542f20",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Software - T1219\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"",
"relationship_type": ""
},
{
"colour": "#054100",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Transfer Data to Cloud Account - T1537\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "d2000d00-7e54-47e9-ba5e-e54a4eb02412",
"value": "ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "f6ef3696-7c8b-4714-9c4f-50b56bfbf829",
"value": "dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "88257fe4-748c-4cda-875f-23916b820f17",
"value": "131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "f57a0494-4f22-4a97-8298-b6d2539741f4",
"value": "9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "11f69897-e358-44e6-af5f-e1c278e4a432",
"value": "9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "e38a9bc8-beb6-4311-980e-e873bb130d1a",
"value": "2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "1c92905d-52ca-4f9d-b889-3f7684fadafd",
"value": "7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "9799d2af-f8ef-450d-bc04-52a6c506247f",
"value": "95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "ed04d950-33cf-4e50-81d8-1ab24133c212",
"value": "0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d"
},
{
"category": "Payload delivery",
"comment": "Akira \u201cMegazord\u201d ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535786",
"to_ids": true,
"type": "sha256",
"uuid": "eece1583-0234-413c-9aee-ef64ef861f8e",
"value": "c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0"
},
{
"category": "Payload delivery",
"comment": "Akira_v2 ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535808",
"to_ids": true,
"type": "sha256",
"uuid": "e04f695f-19d0-4b28-a30e-2ac675fb3275",
"value": "3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75"
},
{
"category": "Payload delivery",
"comment": "Akira_v2 ransomware",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535808",
"to_ids": true,
"type": "sha256",
"uuid": "cd05a941-ac8d-4925-8a26-bc26bce125d2",
"value": "0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c"
},
{
"category": "Payload delivery",
"comment": "Kerberos ticket dumping tool from LSA cache",
"deleted": false,
"disable_correlation": false,
"timestamp": "1713535932",
"to_ids": true,
"type": "sha256",
"uuid": "6295346b-a591-4f34-ba72-32ebf497eebd",
"value": "5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535646",
"uuid": "9bbb742f-79ca-4737-b0d6-4de8242d9497",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535646",
"to_ids": false,
"type": "filename",
"uuid": "21bd0034-3f09-43b0-8e66-281dd8b0840f",
"value": "w.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535449",
"to_ids": true,
"type": "sha256",
"uuid": "008dc099-bd74-485d-87c4-4ca12fb43c6a",
"value": "d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535643",
"uuid": "7eac0d90-3baa-4384-89e7-8ab1b4082a45",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Akira ransomware encryptor",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535643",
"to_ids": false,
"type": "filename",
"uuid": "50b48349-34e7-42e9-843f-05f03c8ced87",
"value": "Win.exe"
},
{
"category": "Payload delivery",
"comment": "Akira ransomware encryptor",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535480",
"to_ids": true,
"type": "sha256",
"uuid": "516d18cd-5a17-45ee-b3b6-ae6a68caca0f",
"value": "dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535639",
"uuid": "ba84dd5c-fd5d-4f4c-a291-6e44b00920fa",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Remote desktop application",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535639",
"to_ids": false,
"type": "filename",
"uuid": "e3aa9727-c542-482d-8e75-dd4f555da261",
"value": "AnyDesk.exe"
},
{
"category": "Payload delivery",
"comment": "Remote desktop application",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535534",
"to_ids": true,
"type": "sha256",
"uuid": "4d909c9b-a33c-4888-8e6b-7c4d8f9a5059",
"value": "bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535636",
"uuid": "a582f08b-7c1b-4ad7-94f5-a7acb1cf31ed",
"Attribute": [
{
"category": "Payload delivery",
"comment": "DLL file that assists with the execution of AnyDesk.exe",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535636",
"to_ids": false,
"type": "filename",
"uuid": "876d48e3-a269-4fcf-bbcf-51a7c99fef1f",
"value": "Gcapi.dll"
},
{
"category": "Payload delivery",
"comment": "DLL file that assists with the execution of AnyDesk.exe",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535558",
"to_ids": true,
"type": "sha256",
"uuid": "09e01632-2218-4b5b-841d-3e5a217f92e0",
"value": "73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535633",
"uuid": "d4c7f818-07be-453a-96ce-b374a3825340",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Ngrok tool for persistence",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535633",
"to_ids": false,
"type": "filename",
"uuid": "b893fe3a-4c95-4aea-b74d-d53bfdbb10d6",
"value": "Sysmon.exe"
},
{
"category": "Payload delivery",
"comment": "Ngrok tool for persistence",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535587",
"to_ids": true,
"type": "sha256",
"uuid": "260c1896-0553-42b6-b198-f31cbf5fa0ae",
"value": "1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535624",
"uuid": "88d9fc05-545f-451e-a99b-2af32585fb30",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Exfiltration tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535624",
"to_ids": false,
"type": "filename",
"uuid": "0e611022-ddd1-44a2-837e-1bb30ebcd65d",
"value": "Rclone.exe"
},
{
"category": "Payload delivery",
"comment": "Exfiltration tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535624",
"to_ids": true,
"type": "sha256",
"uuid": "cb0c25b5-9393-4c40-908c-55367eef9b07",
"value": "aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535725",
"uuid": "e943e329-04da-4aea-a5f4-859f8c84a69d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535725",
"to_ids": false,
"type": "filename",
"uuid": "c888f1db-c32e-4861-b446-938df0e3fcee",
"value": "Winscp.rnd"
},
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535714",
"to_ids": true,
"type": "sha256",
"uuid": "98cf9466-59b9-4e92-be5c-b47a5d05de52",
"value": "7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535747",
"uuid": "8ed3f91f-791d-4083-8a46-ec592ddbcb28",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535747",
"to_ids": false,
"type": "filename",
"uuid": "6570869d-6c88-423e-a52c-8c9a2a024a0b",
"value": "WinSCP-6.1.2-Setup.exe"
},
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535747",
"to_ids": true,
"type": "sha256",
"uuid": "01703cbe-02c3-4d47-b51b-6e929d631b5d",
"value": "36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535878",
"uuid": "5599f040-73b7-4618-ba6c-9c2c23f1a364",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Plaintext credential leaking tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535878",
"to_ids": true,
"type": "filename",
"uuid": "d3bfa14f-f351-4c42-9e2e-e7fc45d2e48a",
"value": "VeeamHax.exe"
},
{
"category": "Payload delivery",
"comment": "Plaintext credential leaking tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535878",
"to_ids": true,
"type": "sha256",
"uuid": "d5652a22-161a-41db-9d73-3550fa22155d",
"value": "aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535914",
"uuid": "df9d1ee9-238b-4491-bcdd-40fa61657594",
"Attribute": [
{
"category": "Payload delivery",
"comment": "PowerShell script for obtaining and decrypting accounts from Veeam servers",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535914",
"to_ids": true,
"type": "filename",
"uuid": "bccd5129-2df9-4dde-8aaa-539c42576b17",
"value": "Veeam-Get-Creds.ps1"
},
{
"category": "Payload delivery",
"comment": "PowerShell script for obtaining and decrypting accounts from Veeam servers",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535914",
"to_ids": true,
"type": "sha256",
"uuid": "cc4f3f2d-5106-4de1-beab-225fc127688b",
"value": "18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713535984",
"uuid": "7c43ff9e-266a-4125-a896-62ef58f30f16",
"Attribute": [
{
"category": "Payload delivery",
"comment": "OpenSSH Backdoor",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713535984",
"to_ids": false,
"type": "filename",
"uuid": "c366a7d0-1c08-40ed-b470-56f74a4bafcc",
"value": "sshd.exe"
},
{
"category": "Payload delivery",
"comment": "OpenSSH Backdoor",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713535974",
"to_ids": true,
"type": "sha256",
"uuid": "5ce8a0b0-29d7-479e-8968-1ee322b73acd",
"value": "8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713536019",
"uuid": "b7a9a8c7-9e0a-4852-ae68-9df6ead658fb",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Network scanner that scans IP addresses and ports",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713536019",
"to_ids": true,
"type": "filename",
"uuid": "6392f02a-1a9a-460f-acba-c7db2d2e804a",
"value": "ipscan-3.9.1-setup.exe"
},
{
"category": "Payload delivery",
"comment": "Network scanner that scans IP addresses and ports",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1713536019",
"to_ids": true,
"type": "sha256",
"uuid": "c7422102-fe12-4fd3-9dc4-7a463fcb6782",
"value": "892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1713536041",
"uuid": "31678fa1-a95a-486b-9477-0234282c2c00",
"Attribute": [
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1713536041",
"to_ids": true,
"type": "filename",
"uuid": "bb3c4107-9e41-4d27-b60c-294bd98cb6fc",
"value": "winrar-x64-623.exe"
},
{
"category": "Payload delivery",
"comment": "Network file transfer program",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1713536041",
"to_ids": true,
"type": "md5",
"uuid": "ad3d4b28-cccb-450f-9ffe-adbec5962ee6",
"value": "7a647af3c112ad805296a22b2a276e7c"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1713536628",
"uuid": "dffcdd95-8a5f-4f4e-820d-b96fe13929b7",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"object_relation": "link",
"timestamp": "1713536628",
"to_ids": false,
"type": "link",
"uuid": "6606746a-e024-4b4d-a8fe-14c9bbfcee3a",
"value": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"object_relation": "summary",
"timestamp": "1713536628",
"to_ids": false,
"type": "text",
"uuid": "a6781a2c-7fe5-4e81-9ace-535be4a75fd8",
"value": "SUMMARY\r\n\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\n\r\nThe United States\u2019 Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol\u2019s European Cybercrime Centre (EC3), and the Netherlands\u2019 National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.\r\n\r\nSince March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.\r\n\r\nEarly versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.\r\n\r\nThe FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"object_relation": "title",
"timestamp": "1713536628",
"to_ids": false,
"type": "text",
"uuid": "9b32b569-960f-47f6-a64b-f10d339b0469",
"value": "#StopRansomware: Akira Ransomware"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"object_relation": "type",
"timestamp": "1713536628",
"to_ids": false,
"type": "text",
"uuid": "f8ce43c8-9068-4ce0-b249-f4c2e5673232",
"value": "Alert"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2024-04-18T00:00:00+00:00",
"last_seen": "2024-04-18T00:00:00+00:00",
"object_relation": "case-number",
"timestamp": "1713536628",
"to_ids": false,
"type": "text",
"uuid": "335e410d-01f8-4608-9f07-2e10cc78ac70",
"value": "AA24-109A"
}
]
}
]
}
}