Ransomware Attackers Used Incorrectly Stored Recovery Codes to Disable EDR Agents
Summary:
Huntress researchers reported on an Akira ransomware intrusion that originated from the exploitation of a SonicWall VPN. The adversary leveraged DHCP-assigned VPN IP addresses without Huntress agents installed, enabling them to bypass endpoint detection and response visibility. Once inside the environment, the threat actor executed Akira binaries, deleted shadow copies, and attempted to encrypt multiple systems. A rapid mass isolation response initiated by the Huntress SOC limited the impact and prevented full encryption of the victim’s network. Further analysis revealed that the adversary exported certificates from the Domain Controller’s personal store using certutil, creating PFX files that included both public and private keys. This activity suggested preparation for persistence and credential-based lateral movement, as compromised certificates can be used to impersonate legitimate users or systems.
The most critical finding was the discovery of a plaintext file containing Huntress recovery codes on a security engineer’s desktop. These codes, designed as MFA backup credentials, were leveraged by the threat actor to log into the Huntress portal as a privileged user. Once authenticated, the actor closed incident reports, de-isolated compromised hosts, and uninstalled Huntress agents, undermining visibility and weakening the organization’s defensive posture. Portal log analysis confirmed access by a known malicious IP previously associated with SonicWall-related compromises.
Security Officer Comments:
The report indicates how plaintext storage of recovery codes can directly enable MFA bypass and provide adversaries with complete control of security platforms. The use of VPN-connected systems without Huntress agents highlights the importance of enforcing full coverage across all endpoints, including those connected remotely. The export of certificates from the Domain Controller reflects adversary efforts to establish persistence and escalate privileges through credential theft.
Suggested Corrections:
Organizations should treat recovery codes with the same sensitivity as privileged account passwords. Here are some recommended practices for securing recovery codes and credentials.
https://www.helpnetsecurity.com/2025/09/16/akira-ransomware-disable-edr/
Huntress researchers reported on an Akira ransomware intrusion that originated from the exploitation of a SonicWall VPN. The adversary leveraged DHCP-assigned VPN IP addresses without Huntress agents installed, enabling them to bypass endpoint detection and response visibility. Once inside the environment, the threat actor executed Akira binaries, deleted shadow copies, and attempted to encrypt multiple systems. A rapid mass isolation response initiated by the Huntress SOC limited the impact and prevented full encryption of the victim’s network. Further analysis revealed that the adversary exported certificates from the Domain Controller’s personal store using certutil, creating PFX files that included both public and private keys. This activity suggested preparation for persistence and credential-based lateral movement, as compromised certificates can be used to impersonate legitimate users or systems.
The most critical finding was the discovery of a plaintext file containing Huntress recovery codes on a security engineer’s desktop. These codes, designed as MFA backup credentials, were leveraged by the threat actor to log into the Huntress portal as a privileged user. Once authenticated, the actor closed incident reports, de-isolated compromised hosts, and uninstalled Huntress agents, undermining visibility and weakening the organization’s defensive posture. Portal log analysis confirmed access by a known malicious IP previously associated with SonicWall-related compromises.
Security Officer Comments:
The report indicates how plaintext storage of recovery codes can directly enable MFA bypass and provide adversaries with complete control of security platforms. The use of VPN-connected systems without Huntress agents highlights the importance of enforcing full coverage across all endpoints, including those connected remotely. The export of certificates from the Domain Controller reflects adversary efforts to establish persistence and escalate privileges through credential theft.
Suggested Corrections:
Organizations should treat recovery codes with the same sensitivity as privileged account passwords. Here are some recommended practices for securing recovery codes and credentials.
- Avoid plaintext storage: Don’t save recovery codes in unprotected text files, shared drives, or unsecured folders.
- Use a password manager: Store recovery codes and credentials in an encrypted password manager with a strong passphrase (and without autofill).
- Encrypt offline storage: If you're unable to use digital password managers, store codes in an encrypted, password-protected file on an encrypted USB drive or hard disk.
- Rotate and monitor: Periodically regenerate recovery codes if available and monitor login access for unusual logins.
- Recovery codes should not be a secondary concern; they are a direct path to bypassing MFA and gaining access.
https://www.helpnetsecurity.com/2025/09/16/akira-ransomware-disable-edr/