{
	"id": "a75238dc-5802-4b9b-8ed0-d6cc430c73d3",
	"created_at": "2026-04-06T00:14:16.944999Z",
	"updated_at": "2026-04-10T13:11:46.447484Z",
	"deleted_at": null,
	"sha1_hash": "390ecdbaf1ef6604d3cce92d5a48579ea9825566",
	"title": "Aki-RATs – Command and Control Party",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118654,
	"plain_text": "Aki-RATs – Command and Control Party\r\nBy Intrinsec\r\nPublished: 2023-11-28 · Archived: 2026-04-05 21:09:49 UTC\r\n[et_pb_section fb_built=\"1\" _builder_version=\"4.23.1\" _module_preset=\"default\" global_colors_info=\"{}\"]\r\n[et_pb_row _builder_version=\"4.23.1\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column\r\ntype=\"4_4\" _builder_version=\"4.23.1\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_image\r\nsrc=\"https://www.intrinsec.com/wp-content/uploads/2023/12/akirat.jpg\" alt=\"AkiRAT\" title_text=\"akirat\"\r\n_builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\"\r\nsticky_enabled=\"0\"][/et_pb_image][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\"\r\nglobal_colors_info=\"{}\"]\r\nContext\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nDuring the first half of 2023, CERT Intrinsec handled several incidents involving Akira ransomware group.\r\nCompanies detected ransomware’s presence, either by reacting to alerts triggered by their security solutions, or, in\r\nworst case, by encountering encrypted files on servers.\r\nIn all cases involving Akira’s recent operations, CERT Intrinsec’s analysis showed that the attack was divided into\r\n3 phases. During the first phase, Akira affiliates get into the network by leveraging stolen passwords or by\r\nexploiting CVE-2023-20269 (Cisco ASA and FTD) vulnerability, allowing them to conduct brute-force attack on\r\nlocal password without being detected. They then perform discovery actions such as network or Active Directory\r\nscanning. They establish their persistence in the information system by installing remote access tools or by\r\ncreating local and domain accounts. At that point, affiliates move laterally, using Remote Desktop Protocol, to\r\ndifferent parts of the infrastructure before collecting data, exfiltrating them with WinSCP or Filezilla, and deleting\r\ntheir tracks to avoid detection. The second phase lasts several days: affiliates stay stealthy. They might be studying\r\nexfiltrated data or assessing technical data collected from the information system. During the last phase, attackers\r\ncome back to set up their last persistence points, disable protections, try to destroy backups and delete volume\r\nshadow copies before running their encryption binary on targeted servers.\r\nThis article presents the intrusion set involved in Akira’s operations handled by CERT Intrinsec, its tactics,\r\ntechniques and procedures, as well as recommendations to follow in order to avoid facing such an incident.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nCERT Intrinsec presentation\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 1 of 21\n\nCERT Intrinsec is a French incident response team that performs its operations mainly on France’s sector. The\r\nteam deals with about 50 major incidents per year and works to help its customers to recover from cyber-attacks\r\nand strengthen their security. Since 2017, CERT Intrinsec has responded to hundreds of security breaches\r\ninvolving companies and public entities. The majority of those incidents are related to cybercriminality and\r\nransomware attacks with financial objectives, hence, CERT Intrinsec follows those groups activities and generates\r\ncomprehensive intelligence from the field. ANSSI (French Cybersecurity Agency) granted CERT Intrinsec PRIS\r\n(State-Certified Security Incident Response Service Providers) certification. The latter testify that CERT Intrinsec\r\nmeets specific incident response requirements, using dedicated procedures, qualified people and appropriate\r\ninfrastructures. Should you need our expertises, Intrinsec provides Incident response \u0026 Crisis management\r\nservices, Threat Intelligence services \u0026 datas, IOCs Feeds, Detection services (SOC/MDR/XDR), supported by a\r\nlarge set of other services (pentests \u0026 audits, consulting, …) .\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAkira Ransomware\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAkira ransomware is said to have started operating in March 2023 and targeted more than 140 organisations\r\n(according to its leak site). Just like many other ransomwares, the Akira’s encryption binary deletes volume\r\nshadow copies, targets specific file extensions and skip files located in some directories (such as ones containing\r\nsystem files). It seems that the encryption binary also shares obfuscation techniques with Conti ransomware. We\r\ncan note that Akira appears soon after last operations spotted involving Conti ransom gang. Akira’s intrusion set\r\nshares also many techniques with other Ransomware-As-A-Service (RaaS) actors: LSASS dumping for credential\r\nharvesting, creation of schedule tasks to perform discovery actions, usage of publicly available tools such as\r\nPCHunter64 or Advanced IP Scanner. They also heavily rely on RDP protocol with administrator accounts for\r\nlateral movement and also manage to disable common defenses such as Windows Defender. Akira recently\r\ndeveloped a Linux encryptor to encrypt ESXi virtual machines, but CERT Intrinsec has not observed this\r\nencryptor so far.\r\nAkira ransomware gang claimed multiple victims from different countries, especially the United States of\r\nAmerica, the United Kingdom of Great Britain and Northern Ireland and Canada. Even if manufacturing,\r\neducation, construction, retail and consulting are subject to many attacks, Akira compromised information systems\r\nfrom a wide range of sectors and does not seem to target any of them. CERT Intrinsec handled incident responses\r\nfor which attacks were not claimed. This raises questions about genuine motivations of Akira ransomware gang.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAkira Victimology\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nVictims analysis shows that majority of compromised companies are located in the USA (73%). United Kingdom\r\nand Canada follow with respectively 7% and 5% of referenced victims.\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 2 of 21\n\nRegarding activity sectors, we have seen following trends:\r\n14% of victims belong to manufacturing sector\r\n11% in the education\r\n9% construction and so on\r\nBasically, all sectors are represented but in lower proportion.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nKey takeaways\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nInvestigations performed during Akira operations highlight that affiliates will use as many legitimate and living-of-the-land tools as possible, possibly to ensure EDR solutions bypass. For example, in one unique operation, we\r\nfound at least 4 different command \u0026 control solutions such as AnyDesk, Teamviewer, OpenSSH Servers and\r\nMobaXterm. Moreover, in the first phase of the adversary’s operations, we notice adversaries efforts to stay\r\nrelatively stealthy. They managed to tunnel their outgoing traffic through CloudFlare infrastructure, performed\r\ncommon reconnaissance tasks from servers where the EDR solution was not deployed, did not access to critical,\r\nand more likely supervised, infrastructure such as domain controllers. They conscientiously explored available file\r\nservers and managed to compress then exfiltrate data. They splitted exfiltration into multiple steps, exfiltrating\r\ndata from a server before moving to another one.\r\nThe third part of operations, the encryption one, was marked by faster and “noisy” actions. Indeed, this phase took\r\nplace in a few hours timeframe, during such they performed a new internal reconnaissance phase, moved laterally\r\nmainly on backup and virtualisation servers and finished by executing their encryption binary. Moreover, attackers\r\nperformed many attempts to exfiltrate Active Directory information, performed multiple network scans with more\r\nor less success even from EDR monitored servers and also relied on tools such as Impacket, which can leave lots\r\nof characteristic footprints.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nOperation timeline\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAll Akira’s operations share a common characteristic: they took place in 3 different phases, from the start until the\r\nend of attacks.\r\nFirst days of the intrusion are dedicated to ensure persistance mechanism on a few assets, perform initial\r\ninternal discovery and manage to escalate privileges. Then we observed a pause in the operations.\r\nThe second phase is dedicated to valuable data identification, gathering and exfiltration. We usually\r\nobserved a pause of several days before the last phase.\r\nLast phase, the encryption one, usually takes place during a short timeframe, within a few hours. Attackers\r\nmanage to ensure their persistence on multiple assets, even if initial ones are already in place. They\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 3 of 21\n\nperform new network scans, probably to get the list of assets required by the encryption. Affiliates usually\r\ntried to delete backups before running the ransomware binary on as many assets as possible.\r\nThe following diagram shows these 3 steps:\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2023/11/attack_path.png\"\r\nalt=\"Attack path\" title_text=\"attack_path\" _builder_version=\"4.23.1\" _module_preset=\"default\"\r\nglobal_colors_info=\"{}\"][/et_pb_image][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\"\r\nglobal_colors_info=\"{}\"]\r\nAkira’s operation timeline\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTactics, techniques and procedures\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nInitial Access\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nExternal Remote Service T1133\r\nValid Account: Domain Accounts T1078.002\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAdversaries got into the network by leveraging compromised credentials of legitimate accounts and establishing\r\nVPN sessions using them. Some of these accounts might have been compromised way before the incident. In two\r\ncases, attackers exploited CVE-2023-20269 vulnerability on a Cisco ASA VPN appliance. This vulnerability\r\nallows an unauthenticated attacker to conduct a brute-force attack on any local account while bypassing the\r\nmaximum number of attempts defined.\r\nIn order to avoid the use of legitimate accounts as initial access, CERT Intrinsec recommends to:\r\nEnsure that internet facing solution, such as VPN appliances are patched in priority when security fixes are\r\npublished by editors\r\nEnforce Multi-Factor Authentication on VPN solutions\r\nApply the principle of least privilege when granting information system access to partners\r\nReview Active Directory objects to identify old, disabled or useless accounts, on a regular basis\r\nEnforce a strong password policy\r\nRaise users’ awareness of phishing emails and password reuse\r\nEnsure that no account with administrative privileges can connect directly into the VPN solution\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 4 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nExecution\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nCommand and Scripting Interpreter: Powershell T1059.001\r\nCommand and Scripting Interpreter: Windows Command Shell T1059.003\r\nWindows Management Instrumentation T1047\r\nSystem Services: Service Execution T1569.002\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAttackers leveraged PowerShell to execute commands to install Remote Server Administration Tools (RSAT-AD),\r\nto list domain users, computers and trusts. To do so, they used Get-ADUser and Get-ADComputer PowerShell\r\ncmdlets. They also created a new firewall rule to allow SSH traffic. To perform discovery and persistence actions,\r\nattackers leveraged Windows Command Shell as well as WMI via Impacket.\r\nTo spot PowerShell and Windows shell activities, you can implement the following measures:\r\nEnable PowerShell logging features (Transcript, ScriptBlockText, ConsoleHost_history)\r\nEnable Sysmon logging on devices\r\nMonitor equipments to detect execution actions, especially PowerShell and Windows Shell commands\r\nImprove detection means by building a Security Operations Center (SOC)\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nPersistence\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nCreate or Modify System Process: Windows Service T1543.003\r\nExternal Remote Services T1133\r\nCreate Account: Local Account T1136.001\r\nCreate Account: Domain Account T1136.002\r\nValid Accounts: Domain Accounts T1078.002\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 5 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nThey created multiple local and domain accounts, using the following Impacket commands, to make sure not to\r\nlose privileges if one of them is disabled or deleted.\r\ncmd.exe /Q /c net user [ADMIN_USER] ‘[PASSWORD]’ /dom 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\ncmd.exe /Q /c net user [ADMIN_USER] ‘[PASSWORD]’ /add 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nAttackers compromised legitimate accounts as well.\r\nAs explained previously, attackers used a lot of legitimate remote administration tools to maintain persistence on\r\ninformation system, they are usually configured as Windows Services. To detect such actions, you can:\r\nList legitimate remote administration tools, used by your company, to spot easily those used by attackers\r\nRestrict the use of these tools as much as possible\r\nMonitor actions performed by administrative accounts\r\nMonitor suspicious Windows Services creations\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nPrivilege Escalation\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nValid Accounts: Domain Accounts T1078.002\r\nValid Accounts: Local Accounts T1078.002\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nThroughout operations, attackers compromised several accounts, many of them being privileged. They then used\r\nthem to gain even more privileges. These accounts were:\r\nAdministrator accounts\r\nUnused administrator account\r\nAccount used on printers\r\nService provider account\r\nMonitoring account\r\nAccounting account\r\nDomain administrator account\r\nSeveral accounts were compromised throughout the operation. It is possible to avoid such actions by\r\nimplementing the following recommendations:\r\nKeep an inventory of accounts, especially administrative ones, up-to-date\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 6 of 21\n\nForbid RDP communication between equipments when it is not necessary\r\nDeploy Windows Credential Guard to protect credentials on systems\r\nUse dedicated administrative accounts to perform actions related to information system administration only\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nDefense Evasion\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nImpair Defenses: Disable or Modify System Firewall T1562.004\r\nIndicator Removal: File Deletion T1070.004\r\nModify Registry T1112\r\nValid Accounts: Domain Account T1078.002\r\nImpair Defenses: Disable or Modify Tools T1562.001\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nDuring operations, affiliates tried to impair defenses by either deleting evidences or avoiding detection. They\r\nactually removed part of their tools as well as the exfiltrated archives containing data.\r\nAfter creating a malicious account, affiliates modified the following registry key in order to hide this account from\r\nthe logon screen.\r\ncmd.exe /Q /c reg add\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\n/t REG_DWORD /v [USER] /d 0 /f 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nThey created a rule to enable SSH traffic, as explained in the Persistence section, and they edited the SYSTEM\r\nhive to enable RestrictedAdmin feature. This latter is a way to connect to a server without sending credentials to\r\nit. It prevents administrative credentials from being exposed to an attacker who could leverage them to escalate\r\nprivileges.\r\nThe command used to enable RestrictedAdmin is as follows:\r\ncmd.exe /Q /c reg add ‘HKLM\\System\\CurrentControlSet\\Control\\Lsa’\r\n/v DisableRestrictedAdmin /t REG_DWORD /d 0 /f\r\nFinally, attackers disabled Windows Defender Real-Time Monitoring feature.\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 7 of 21\n\nIn order to slow down forensic investigations and avoid detection, attackers conducted multiple actions. It is\r\npossible to detect those actions and to lower their impacts, by implementing the following measures:\r\nCollect logs from all equipments, forward them to a central server dedicated to logs storage\r\nMonitor firewall rules changes\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nDiscovery\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nAccount Discovery: Domain Account T1087.002\r\nRemote System Discovery T1018\r\nFile and Directory Discovery T1083\r\nNetwork Service Discovery T1046\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAs operations were on their way, attackers kept looking for information on targeted systems. They used network\r\nscanning tools named Netscan and Advanced IP Scanner several times. They also browsed file servers, looking for\r\ninteresting data to exfiltrate. They used Impacket commands and nltest built-in tool to perform some of their\r\nactions.\r\nformatenumerationlimit = -1\r\nInstall-WindowsFeature RSAT-AD-PowerShell\r\nGet-ADUser -Filter * -Properties * | Select-Object Enabled, CanonicalName, CN, Name,\r\nSamAccountName, MemberOf, Company, Title, Description, Created,\r\nModified, PasswordLastSet, LastLogonDate, logonCount, Department,\r\ntelephoneNumber, MobilePhone, OfficePhone, EmailAddress, mail, HomeDirectory, homeMDB\r\n\u003e C:\\ProgramData\\AdUsers.txt\r\nGet-ADComputer -Filter * -Property * | Select-Object Enabled, Name, DNSHostName, IPv4Address,\r\nOperatingSystem, Description, CanonicalName,\r\nservicePrincipalName, LastLogonDate, whenChanged, whenCreated \u003e C:\\ProgramData\\AdComp.txt\r\nnltest /domaintrusts\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 8 of 21\n\nThe above commands perform the following actions:\r\nTell PowerShell to display all occurrences when formatting results\r\nInstall Remote Server Administration Tools\r\nList all Active Directory users, all their properties and select several of them to display\r\nList all Active Directory computers, all their properties and select several of them to display\r\nAs discovery is often the first part of an intrusion set, it is crucial to detect it as early as possible to block\r\nsubsequent phases of the attack. To do so, you should:\r\nMonitor security event logs and network connections to spot network scan activities, accounts\r\nenumeration, etc\r\nMonitor systems activities to detect commands executed to remote hosts\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nLateral Movement\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nLateral Tool Transfer T1570\r\nRemote Services: Remote Desktop Protocol T1021.001\r\nRemote Services: SMB/Windows Admin Shares T1021.001\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAttackers used lateral movement techniques to transfer their tools across the network, to connect to devices and to\r\nexecute commands on remote hosts. They utilised remote administration shares (ADMIN$) to drop files on remote\r\ncomputers and connects via Remote Desktop Protocol to different servers to achieve their malicious actions.\r\nBesides, Impacket was used to execute commands on remote systems with Windows Administration Share.\r\nMultiple hostnames were found as WorkstationName when attackers tried to authenticate to equipments:\r\nDESKTOP-3GCJKGQ\r\nWIN-KFUMVU06ESH\r\nWIN-OX9CQTDSEIK\r\nWIN-MV7S8OJTOIK\r\nHOST14872171171\r\nDESKTOP-KT76603\r\nAttackers leveraged local accounts as well, adding them to Administrators and Remote Desktop Users groups,\r\nusing net localgroup command:\r\nnet localgroup Administrators [USERNAME] /ADD\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 9 of 21\n\nnet localgroup ‘Remote Desktop Users’ [USERNAME] /add\r\nnet localgroup Administrators [USERNAME] /add 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nnet localgroup Domain Admins [USERNAME] /add 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nnet localgroup Remote Desktop Users [USERNAME] /add 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nThey also used Enter-PSSession PowerShell command to start interactive sessions on remote devices and enable\r\nRemote Desktop Protocol, as shown below\r\nEnter-PSSession -ComputerName [EQUIPMENT]\r\nnetsh advfirewall firewall add rule name=”allow RemoteDesktop” dir=in\r\nprotocol=TCP localport=3389 action=allow\r\nDuring all operations, attackers easily moved from one equipment to another, and from one domain to another,\r\nespecially leveraging network shares. To avoid such lateral movements, CERT Intrinsec recommends to:\r\nMonitor information systems to detect suspicious network share accesses (use of Impacket, network shares\r\nscan, etc)\r\nRestrict access to administrative shares as much as possible\r\nBuild efficient isolation procedures to isolate a equipment, a VLAN or even the entire information system\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nCollection\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nArchive Collected Data: Archive via Utility T1560.001\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTo reduce the size of data to exfiltrate and to make the process more efficient, affiliates used WinRar utility to\r\ncreate archives containing stolen data.\r\nAs ransomware operators often target information about human resources, employees, projects, etc, it is very\r\nimportant to:\r\nIdentify sensitive data and its location, and encrypt it\r\nDeploy a Data Loss Prevention solution\r\nMonitor access to sensitive data\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 10 of 21\n\nCommand and Control\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nApplication Layer Protocol: Web Protocols T1071.001\r\nIngress Tool Transfer T1105\r\nRemote Access Software T1219\r\nExternal Remote Services T1133\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nApart from using AnyDesk, TeamViewer, OpenSSH, MobaXTerm as Remote Administration Tools and\r\nCloudflared to tunnel malicious traffic through the CloudFlare infrastructure, affiliates employed file.io, a file\r\nsharing service, to download their tools on compromised systems. They also leveraged VPN accesses to conduct\r\ntheir activities on the network.\r\nYou can implement the following measures to detect command and control activities:\r\nMonitor systems and network traffic to identify suspicious file sharing websites or illegitimate cloud\r\nservices\r\nInstall an Intrusion Prevention Solution to monitor traffic and find unusual remote hosts, flagged C2\r\ndomain/IP address/port, etc\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAnyDesk\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nThe first way to perform command and control activities is the installation of AnyDesk, a remote desktop\r\napplication. The software was downloaded from file.io platform. Several files related to AnyDesk installation\r\nwere discovered:\r\nC:\\Users\\[REDACTED]\\Downloads\\gcapi.dll\r\nC:\\Users\\[REDACTED]\\Downloads\\AnyDesk.exe\r\nC:\\Windows\\Temp\\gcapi.dll\r\nC:\\ProgramData\\gcapi.dll\r\nA service was also created to make sure that the persistence stays up:\r\nService Name Command\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 11 of 21\n\nAnyDesk C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe –service\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nSSH Server\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAn SSH server was installed on several servers in order to maintain the access to the information system by\r\ntunneling adversaries traffic through an SSH session. OpenSSH was used to create this SSH server and to be able\r\nto connect to compromised systems. CERT Intrinsec found evidences of OpenSSH in many directories:\r\nC:\\Users\\[REDACTED]\\Downloads\\OpenSSH.msi\\\r\nC:\\Program Files\\OpenSSH\\sshd.exe\\\r\nC:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\7\\[redacted]\\bin\\ssh.exe\\\r\nThe service runs sshd.exe:\r\nService Name Command\r\nSSHD C:\\Program Files\\OpenSSH\\sshd.exe\r\nA firewall rule enabling SSH traffic was created as well on servers: its display name is OpenSSH Server (sshd).\r\nThe rule is enabled and allows the inbound traffic for protocol TCP on port 22.\r\nNew-NetFirewallRule -Name sshd -DisplayName ‘OpenSSH Server (sshd)’\r\n-Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTeamViewer\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTeamViewer was installed to allow access remotely to devices (C:\\Program Files\r\n(x86)\\TeamViewer\\TeamViewer.exe), as well as to ensure persistence to them.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nMobaXTerm\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAttackers downloaded MobaXTerm, using an administrator account, on one of the domain controllers (C:\\Users\\\r\n[REDACTED]\\Downloads\\MobaXtermInstallerv23.2.zip).\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 12 of 21\n\nCloudflared\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAttackers installed Cloudflared, a utility used to create tunnels between compromised hosts and Cloudflare\r\nsolution. The command line to build a tunnel is as follows:\r\nregid.exe tunnel run –token [TOKEN]\r\nThey renamed the cloudflared binary to regid.exe to hide in plain sight.\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nExfiltration\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique\r\nTechnique\r\nID\r\nExfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2\r\nProtocol\r\nT1048.002\r\nApplication Layer Protocol: File Transfer Protocol T1071.002\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” sticky_enabled=”0″]\r\nAfter creating archives containing collected files, affiliates used different softwares to exfiltrate several gigabytes\r\nof data: WinSCP and FileZilla.\r\nFileZilla’s recentservers.xml file stores connection information and is very important to identify where data have\r\nbeen sent.\r\n\u003c?xml version=’1.0′ encoding=’UTF-8′?\u003e\r\n\u003cFileZilla3 version=’3.64.0′ platform=’windows’\u003e\r\n    \u003cRecentServers\u003e\r\n        \u003cServer\u003e\r\n            \u003cHost\u003e148[.]72.171.171\u003c/Host\u003e\r\n            \u003cPort\u003e22\u003c/Port\u003e\r\n            \u003cProtocol\u003e1\u003c/Protocol\u003e\r\n            \u003cType\u003e0\u003c/Type\u003e\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 13 of 21\n\n\u003cUser\u003eAdministrator\u003c/User\u003e\r\n            \u003cLogontype\u003e2\u003c/Logontype\u003e\r\n            \u003cEncodingType\u003eAuto\u003c/EncodingType\u003e\r\n            \u003cBypassProxy\u003e0\u003c/BypassProxy\u003e\r\n        \u003c/Server\u003e\r\n    \u003c/RecentServers\u003e\r\n\u003c/FileZilla3\u003e\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nFor the past few years, adversaries heavily relied on cloud storage provider such as Mega or PCloud to store\r\nexfiltrated data. Akira’s operators behave slighly differently by uploading encrypted rar archives directly on their\r\nown servers (A Windows workstation with OpenSSH service installed on it). These servers are part of the same\r\nAutonomous System (30083 – AS-30083-GO-DADDY-COM-LLC), used throughout different operations.\r\nAs part of the double extortion strategy, attackers exfiltrate sensitive data from systems and threaten to publish it\r\non their leak sites. Therefore, it is crucial to:\r\nMonitor outgoing traffic (in terms of volume, IP reputation, time of communication, etc)\r\nImprove network logging policy to ensure evidences availability in case of an investigation\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nImpact\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTechnique Technique ID\r\nData Destruction T1485\r\nData Encrypted for Impact T1486\r\nInhibit System Recovery T1490\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nAttackers tried to delete VEEAM backups by connecting to the management console and deleted Volume Shadow\r\nCopies using PowerShell commands:\r\npowershell.exe -Command Get-WmiObject Win32_Shadowcopy | Remove-WmiObject\r\nThey finally encrypted equipments on the information system, using an Akira encryption binary.\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 14 of 21\n\nTo prevent victims from recovering their data, ransomware operators try to locate backups so as to delete them\r\nprior to encrypting files. To avoid this impact, CERT Intrinsec recommends to:\r\nDeploy a backup solution and test restoration process on a regular basis\r\nKeep at least one version of the backups outside the information system\r\nMonitor access to backup infrastructure\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nMITRE ATT\u0026CK Matrix\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nTactic Sub-Techniques\r\nTechnique\r\nID\r\nInitial Access\r\nExternal Remote Services\r\nValid Account: Domain Accounts\r\nExploit Public-Facing Application\r\nT1133\r\nT1078.002\r\nT1190\r\nExecution\r\nCommand and Scripting Interpreter: Powershell\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nWindows Management Instrumentation\r\nSystem Services: Service Execution\r\nT1059.001\r\nT1059.003\r\nT1047\r\nT1569.002\r\nPersistence\r\nCreate or Modify System Process: Windows Service\r\nExternal Remote Services\r\nCreate Account: Local Account\r\nCreate Account: Domain Accounts\r\nRemote Access Software\r\nT1543.003\r\nT1133\r\nT1136.001\r\nT1136.002\r\nT1219\r\nPrivilege\r\nEscalation\r\nValid Accounts: Domain Accounts\r\nValid Accounts: Local Accounts\r\nT1078.002\r\nT1078.003\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 15 of 21\n\nDefense Evasion\r\nImpair Defenses: Disable or Modify System Firewall\r\nIndicator Removal: File Deletion\r\nModify Registry\r\nValid Account: Domain Account\r\nImpair Defenses: Disable or Modify Tools\r\nT1562.004\r\nT1070.004\r\nT1112\r\nT1078.002\r\nT1562.001\r\nCredential Access\r\nBrute Force\r\nUnsecured Credentials: Credentials in Files\r\nT1110\r\nT1552.001\r\nDiscovery\r\nAccount Discovery: Domain Account\r\nRemote System Discovery\r\nFile and Directory Discovery\r\nNetwork Service Discovery\r\nT1087.002\r\nT1018\r\nT1083\r\nT1046\r\nLateral Movement\r\nLateral Tool Transfer\r\nRemote Services: Remote Desktop Protocol\r\nRemote Services: SMB/Windows Admin Shares\r\nT1570\r\nT1021.001\r\nT1021.001\r\nCollection Archive Collected Data: Archive via Utility T1560.001\r\nCommand and\r\nControl\r\nApplication Layer Protocol: Web Protocols\r\nIngress Tool Transfer\r\nRemote Access Software\r\nExternal Remote Services\r\nT1071.001\r\nT1105\r\nT1219\r\nT1133\r\nExfiltration\r\nExfiltration Over Alternative Protocol: Exfiltration Over Asymmetric\r\nEncrypted Non-C2 Protocol\r\nApplication Layer Protocol: File Transfer Protocol\r\nT1048.002\r\nT1071.002\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 16 of 21\n\nImpact\r\nData Destruction\r\nData Encrypted for Impact\r\nInhibit System Recovery\r\nT1485\r\nT1486\r\nT1490\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nIndicators of Compromise\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nHostname\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nHostname Comment\r\nDESKTOP-3GCJKGQ Hostname used by attackers to connect to compromised infrastructure\r\nWIN-KFUMVU06ESH Hostname used by attackers to connect to compromised infrastructure\r\nWIN-OX9CQTDSEIK Hostname used by attackers to connect to compromised infrastructure\r\nWIN-MV7S8OJTOIK Hostname used by attackers to connect to compromised infrastructure\r\nDESKTOP-KT76603 Hostname used by attackers to connect to compromised infrastructure\r\nHOST14872171171 Hostname used by attackers to connect to compromised infrastructure\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nIP Addresses\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nIP Address AS Location Comment\r\n91[.]132.92.60 9009 – M247, RO Danemark Malicious VPN connections\r\n138[.]124.184.174 44477 – STARK-INDUSTRIES\r\nUnited\r\nStates\r\nMalicious VPN connections\r\n148[.]72.168.13\r\n30083 – AS-30083-GO-DADDY-COM-LLC\r\nU.S.A. Data exfiltration\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 17 of 21\n\n148[.]72.171.171\r\n30083 – AS-30083-GO-DADDY-COM-LLCUnited\r\nStates\r\nMalicious VPN connections and\r\ndata exfiltration\r\n199[.]127.60.236 23470 – RELIABLESITE\r\nUnited\r\nStates\r\nMalicious VPN connections\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nServices\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nName Command Comment\r\nAnyDesk C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe –service AnyDesk Service\r\nSSHD C:\\Program Files\\OpenSSH\\sshd.exe  SSH Server\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nCommands\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nCommand Comment\r\nnet user [ADMIN_ACCOUNT] [PASSWORD] /dom\r\nCreate an administrator\r\naccount\r\nEnter-PSSession -ComputerName [HOSTNAME]\r\nStarts an interactive\r\nsession with the remote\r\nserver [HOSTNAME]\r\nnetsh advfirewall firewall add rule name=’allow RemoteDesktop’ dir=in\r\nprotocol=TCP localport=3389 action=allow\r\nCreates a rule enabling\r\nremote desktop\r\nprotocol\r\ncmd.exe /Q /c cd 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nChanges directory\r\ncommand executed by\r\nattackers\r\ncmd.exe /Q /c net localgroup Administrators [USERNAME] /add 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nAdds USERNAME\r\nuser to Administrators\r\ngroup\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 18 of 21\n\ncmd.exe /Q /c net localgroup Domain Admins [USERNAME] /add 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nAdds USERNAME\r\nuser to Domain Admins\r\ngroup\r\ncmd.exe /Q /c net localgroup Remote Desktop Users [USERNAME] /add 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nAdds USERNAME\r\nuser to Remote\r\nDesktop Users group\r\ncmd.exe /Q /c net user [USERNAME] [PASSWORD] /add 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nCreates USERNAME\r\nuser with password\r\n[PASSWORD]\r\ncmd.exe /Q /c net user [USERNAME] [PASSWORD] /add 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nCreates USERNAME\r\nuser with password\r\n[PASSWORD]\r\ncmd.exe /Q /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList /t REG_DWORD /v\r\n[USERNAME] /d 0 /f 1\u003e \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2\u003e\u00261\r\nHides USERNAME\r\nuser from logon screen\r\npowershell.exe -Command Get-WmiObject Win32_Shadowcopy | Remove-WmiObjectRemoves Volume\r\nShadow Copies\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nRegistry Keys\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nKey Value Data Comment\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\n[USERNAME] 0\r\nKey used to hide\r\nUSERNAME\r\nuser from logon\r\nscreen\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nFiles\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nIOC Value Comment\r\nFileName win.exe Encryption Binary\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 19 of 21\n\nFileName akira_readme.txt Akira ransom note\r\nFileName WizTree.exe WizTree (Disk Space Analyzer)\r\nFileName wiztree_4_14_portable.zip WizTree (Disk Space Analyzer)\r\nFileName regid.exe Cloudflare tunneling client\r\nFileName cloudflared.exe Cloudflare tunneling client\r\nFileName Advanced_IP_Scanner.exe Advanced IP Scanner (Network Scanner)\r\nFileName advanced_ip_scanner_console.exe Advanced IP Scanner (Network Scanner)\r\nFileName Advanced_IP_Scanner_2.5.4594.1.exe Advanced IP Scanner (Network Scanner)\r\nFileName advanced_ip_scanner.exe Advanced IP Scanner (Network Scanner)\r\nFileName AdvancedPortScanner_2.5.3869.exe Advanced Port Scanner (Network Scanner)\r\nFileName netscan.zip Netscan (Network Scanner)\r\nFileName netscan.exe Netscan (Network Scanner)\r\nFileName XWinMobaX1.16.3.exe MobaXTerm (Remote Administration Tool)\r\nFileName AnyDesk.exe Anydesk (Remote Desktop Software)\r\nFileName TeamViewer.exe TeamViewer (Remote Access Software)\r\nFileName OpenSSH.msi OpenSSH installer\r\nFileName sshd.exe OpenSSH server\r\nFileName filezilla_3.64.0_win64_sponsored-setup.exe FileZilla (FTP client)\r\nFileName WinSCP.exe WinSCP (SFTP client)\r\nFileName WinSCP-5.21.8-Portable.zip WinSCP (SFTP client)\r\nFileName winrar-x64-621.exe Compression and archiving tool\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nSources\r\n[/et_pb_text][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://twitter.com/MalGamy12/status/1651972583615602694\r\nhttps://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 20 of 21\n\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/\r\nhttps://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/\r\nhttps://developers.cloudflare.com/cloudflare-one/connections/connect-networks/\r\n[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]\r\nSource: https://www.intrinsec.com/akira_ransomware/\r\nhttps://www.intrinsec.com/akira_ransomware/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intrinsec.com/akira_ransomware/"
	],
	"report_names": [
		"akira_ransomware"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/390ecdbaf1ef6604d3cce92d5a48579ea9825566.pdf",
		"text": "https://archive.orkl.eu/390ecdbaf1ef6604d3cce92d5a48579ea9825566.txt",
		"img": "https://archive.orkl.eu/390ecdbaf1ef6604d3cce92d5a48579ea9825566.jpg"
	}
}