Update on Akira Ransomware BYOVD

Cohesity REDLab has released updates to the threat library to detect emerging Akira related ransomware variants that are actively exploiting targets in the wild. Akira was first spotted last year, and this is an updated to the original detection. Users should closely monitor ant-ransomware backup anomalies in Security Center. Threat Scan feature should also be used in tandem to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Analysis

Akira and affiliates used compromised firewall appliances as an initial-access vector. After gaining access they deploy evasive “bring your own vulnerable driver” (BYOVD) techniques that load signed but vulnerable and legitimate drivers to defeat AV/EDR for data theft and rapid ransomware encryption.

Initial access via firewall appliances: By abusing compromised credentials or exploiting known vulnerabilities attackers received access to remote VPN/web-console of firewall appliances.
Establish persistence & reconnaissance: Once on the appliance or via VPN tunnel, attackers enumerate internal hosts and credential stores. They attempt to harvest admin credentials and legitimate remote-access accounts for broader access.
Deploy evasive tooling (BYOVD / malicious drivers): Rather than relying only on file-based loaders, operators load vulnerable or signed drivers (often legitimate vendor drivers abused intentionally) to disable or interfere with EDR protections and to load kernel hooks.
Data theft / exfiltration: Attackers steal sensitive data, often prior to encryption, to increase leverage for extortion.
Ransomware deployment & encryption: Ransomware is deployed for rapid encryption and data is encrypted

Takeaways

Cohesity’s Anti-Ransomware and Threat Detection feature lets you scan backups snapshots and secondary stored data for anomalous behavior, known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership