{
	"id": "19f08ca8-fee2-47dc-91d4-73a161f80dbe",
	"created_at": "2026-04-06T01:29:16.169735Z",
	"updated_at": "2026-04-10T13:11:53.374205Z",
	"deleted_at": null,
	"sha1_hash": "ecf7223586def0c3f5fa56550ff1ee5549dd7e03",
	"title": "Akira: Pulling on the chains of ransomware - Stairwell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 421879,
	"plain_text": "Akira: Pulling on the chains of ransomware - Stairwell\r\nBy By Silas Cutler\r\nArchived: 2026-04-06 00:42:27 UTC\r\nIn late June 2023, Stairwell researchers recovered a home directory that had been accidentally publicly exposed\r\nfrom a server conducting exploitation of Fortinet appliances and deploying the Akira ransomware. With this\r\nvisibility, Stairwell researchers were able to directly observe some key aspects of the tradecraft used by the\r\noperators conducting attacks leading up to the deployment of Akira ransomware. \r\nAlong with the security research community and the United States Cybersecurity and Infrastructure Security\r\nAgency (CISA), we were able to notify multiple companies during the period between when data was exfiltrated\r\nby the attacker and their companies being publicly listed on Akira’s data leak site (DLS). \r\nThe following report will outline the findings from the recovered data.\r\nAkira\r\nThe Akira ransomware group started gaining broad attention in the spring of 2023. Since the launch of their DLS,\r\nthey have posted 65 different entities that the group has held for ransom (based on counts from our friends at\r\necrime.ch). In an alert from CERT-IN on 21 July 2023 and confirmed by details covered in this report, Akira\r\nransomware is known to leverage publicly known vulnerabilities in VPN appliances as a means of gaining initial\r\naccess to a target. \r\nA screenshot of the actor’s data leak site is shown below.\r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 1 of 6\n\nFigure 1: Screenshot of the Akira ransomware blog site.\r\nTechnical analysis\r\nThe recovered data from the actor system totaled 99 GB and included several stand-alone tools for VPN\r\nexploitation and reconnaissance, alongside an aptly named tools directory, containing a collection of open-source\r\npentesting utilities.\r\nFrom evaluating commands run on the system, this system is assessed to have been primarily used for conducting\r\ninitial exploitation and exfiltration of data. While the operators of the system installed reconnaissance (such as\r\nreconftw) and post-exploitation tools, their usage of these appears limited to testing. \r\nInitial access / exploitation\r\nWithin the recovered data were two tools involved in the exploitation of Fortinet devices. Based on the\r\nbash_history, the usage of these tools accounted for roughly 11% of the commands executed by the attacker. \r\nThe first of these tools was named decrypt.py (SHA256 hash:\r\n44ed99d5516cb7f132016c750cf28a2da39fc0432ed3b7038139f015a589c582 ) and is used for decrypting password\r\ndata from Fortinet devices vulnerable to CVE-2019-6693. This script is nearly identical to the original proof-of-concept disclosed on Github; however, this script includes a monitor change for handling string encoding. \r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 2 of 6\n\nThe following example illustrates the tool’s usage.  \r\n# python3 decrypt.py VegCb7x7j4q9lVhfeYpPifKze4apn7do8EnPOjZWZ2s0iq0LXtd/DfBETgsn4a9CKuoDafVmtsajjwz+Z17W7+MZd+\r\nSpring2009!\r\nAs this tool does not connect to vulnerable devices, the source of the encrypted password data is currently\r\nunknown. It’s possible that these encrypted configurations were shared by another operator working in\r\ncollaboration with the owner of this system.\r\nThe other tool identified for exploitation of Fortinet devices was named fortiConfParser.py (SHA256 hash:\r\nd626e88d7910048e7f495d8afae49f534e22a90a080f49ca6f5b0b20e8a06c3c ). This Python script is used for\r\nremotely extracting the configuration of Fortinet devices, using a publicly known authentication bypass (CVE-2022-40684), and decrypting passwords using a reimplementation of the logic from decrypt.py . The following\r\nshows an example usage of fortiConfParser.py and the resulting decrypted credentials.  \r\n# python3 fortiConfParser.py 10.0.0.1:443\r\n==================================================\r\n[+] LOCAL:\r\n[+]---- adminuser:Summer2023!\r\n[+] LDAP\r\n[+]---- fortiadmin@target.domain:DomainSummer2023!:TDOMAIN:10.0.0.1:sAMAccountName:DC=target,DC=domain\r\n[+]---- fortiadmin@target.domain:DomainSummer2023!:TDOMAIN:10.0.0.1:sAMAccountName:DC=target,DC=domain\r\nUnlike decrypt.py , this tool chains CVE-2019-6693 and CVE-2022-40684 in order to increase the effectiveness\r\nof exploitation.  \r\nIn total, exploitation attempts were observed against 13 IP addresses, of which 9 were able to be attributed to\r\nknown companies. Geomapping of the IP addresses shows a concentration of US entities. \r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 3 of 6\n\nFigure 2: Mapping of IP addresses to geographic locations targeted for exploitation.\r\nDuring analysis of the entities targeted by this activity, a consulting company was identified, who had been\r\nreportedly attacked in early June by the Snatch ransomware group. As it is common for individual operators to\r\nwork for multiple ransomware groups, it is possible the operators of this server may not be exclusive to Akira. \r\nExfiltration\r\nIn addition to tooling, the majority of the recovered data from the actor system was encrypted data exfiltrated from\r\nthree targets of this operator’s attacks. Exfiltrated data is stored in password-protected RAR archives and, based\r\non the command history of the user, was likely encrypted prior to exfiltration by the actor. \r\nIn one case, shown below, the actor was observed downloading collected data from a publicly facing server of the\r\ntargeted network.\r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 4 of 6\n\nFigure 3: Screenshot of command history showing the actor attempting to download stolen data from a public-facing victim server.\r\nClosing\r\nIn the initial analysis of the collected data, we had initially attributed this activity exclusively to the Akira\r\nransomware group. As analysis progressed and a target of this activity was identified as a victim of the Snatch\r\nransomware group, we adjusted some of the language used in this report to reflect the reality that ransomware\r\naffiliates at times work with multiple different Ransomware-as-a-Service (RaaS) providers.  \r\nThe ability for individual operators to work across multiple RaaS providers likely supports proliferation of\r\ntradecraft and techniques that further enable these types of attacks. In this report, we analyzed a Python tool that\r\nchained CVE-2019-6693 and CVE-2022-40684 in order to gain access to Fortinet appliances. While Stairwell has\r\nonly directly observed this with the Akira ransomware group, it is assessed with medium confidence that\r\nintrusions attributed to Snatch and other groups linked to Akira. \r\nAs part of analyzing the collected data, Stairwell researchers worked closely with members of the broader\r\ncybersecurity community and the Cybersecurity and Infrastructure Security Agency (CISA) to help notify parties\r\ntargeted and impacted by this actor. We’re highlighting this as we believe that notifying victims of cyber incidents\r\nis the responsibility of those with visibility. \r\nFiles\r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 5 of 6\n\nSource: https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nhttps://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/"
	],
	"report_names": [
		"akira-pulling-on-the-chains-of-ransomware"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438956,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecf7223586def0c3f5fa56550ff1ee5549dd7e03.pdf",
		"text": "https://archive.orkl.eu/ecf7223586def0c3f5fa56550ff1ee5549dd7e03.txt",
		"img": "https://archive.orkl.eu/ecf7223586def0c3f5fa56550ff1ee5549dd7e03.jpg"
	}
}