Akira ransomware’s secret weapon—AnyDesk
The Akira ransomware group drops the AnyDesk client to gain persistence.
The Akira ransomware group has a secret weapon: AnyDesk Remote Monitoring and Management (RMM) software. The cybercriminals use the legitimate AnyDesk executable on compromised computers for persistence—after it’s installed, they can connect to the compromised machine at any time they please, in just the same way that a regular AnyDesk user could.
Akira made headlines in April of last year after CISA and the FBI announced that the gang had made $42 million from 250 attacks since March 2023, which translates to an average of $3,500,000 a month. The CISA report also detailed the groups’ Tools, Tactics, and Procedures (TTPs).
Initial compromise can happen in several ways, such as stolen credentials, software vulnerabilities, or RDP brute force attacks.
After that, their next step is to install and use AnyDesk, and other legitimate tools for persistence and discovery.
The use of AnyDesk (and other RMM tools too) allows criminals to deploy hands-on-keyboard (HOK) attacks so they can adjust their approach based on the environment at hand, and also reduces the chance of detection because they are not using malware. In the new world of Living-off-the-Land (LOTL) attacks, it’s not the software that’s suspicious, but the way in which it’s used.
Defeating attacks that rely on legitimate tools like AnyDesk requires continuous monitoring, to build a picture of malicious activity.
Nothing trumps 24/7 monitoring by professionals, but with ThreatDown products, there are some settings you can apply to prevent the above scenario from happening.
- Check if your licensing matches the number and type of machines that you want to cover. Unprotected servers are a blind spot.
- Use Application Block (AppBlock) to block all remote access and RMM tools that aren’t utilized by your organization or your service providers.
- Advanced rules allow blocking via executable hash, path, signed certificate property, etc.
- This could extend to other software, such as network discovery tools and scripting engines.
- Make sure not to block anything that is in use inside your organization, which unfortunately is often easier said than done.
- Apply GeoIP Filtering at the firewall level, more specifically allow only those regions where authorized users reside or otherwise connect from, or explicitly block those that are most commonly the origin of abuse (China, Russia, etc).
- Make sure the ThreatDown Endpoint Agent is fully deployed, so all suspicious activity can be detected, particularly early warning signs that might indicate initial access, discovery, and lateral movement.
- Make sure that ThreatDown EDR, MDR or MTH services are fully enabled and configured according to best practices:
- All RTP layers enabled.
- Suspicious Activity Monitoring enabled.
- Ransomware Rollback enabled.
- Notifications configured for all Suspicious Activities of every severity—some “low” severity activities are indicators of and precede attacks.
Should you require assistance in finding the optimal settings for your environment, reach out to ThreatDown Support. They will be happy to help you.