Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise
Summary:
According to Unit 42, a global data storage and infrastructure company suffered a 42-day destructive ransomware attack orchestrated by the Howling Scorpius group (Akira ransomware). The initial compromise began when an employee, visiting a compromised car dealership website, was lured via a ClickFix social engineering tactic disguised as a routine CAPTCHA bot verification. Interacting with the fake prompt led to the download of SectopRAT, a .NET-based RAT. Based on CISA’s recent Akira Ransomware advisory update, ClickFix is not considered one of Akira’s typical initial access methods.
The attackers then planted a backdoor for C2 and performed lengthy reconnaissance to map the virtual infrastructure. Over the course of 42 days, they compromised multiple privileged accounts, including domain admins, and moved laterally across the network using multiple protocols (SSH, RDP, SMB). They accessed domain controllers, staged nearly 1 TB of data using WinRAR across multiple file shares, and successfully pivoted from one business unit domain into the core corporate environment and cloud resources, bypassing intended security boundaries. Before deploying the ransomware, the threat actors deleted the client's storage containers containing backups and compute resources, and exfiltrated the data using FileZillaPortable. Finally, they deployed the Akira ransomware across servers in three separate networks, causing virtual machines to shut down and operations to cease, followed by the ransom demand. A critical finding was that the client's two different enterprise-grade EDR solutions recorded all malicious activities in their logs but generated very few alerts. This left the security team with "visibility in theory but not in practice," as the attack indicators remained hidden in plain sight until the damage was done.
Security Officer Comments:
This incident appears to serve as an unusual example of effective long-term espionage, as visibility without effective security alerting could be considered a bigger issue than no visibility at all. The failure of two reportedly enterprise-level EDR systems to generate enough alerts for 42 days of active privilege escalation, lateral movement via protocols (RDP/SSH/SMB), and massive pre-ransomware staging/exfiltration reinforces the potential of incorporating agentic defense options. The initial social engineering vector (ClickFix to download SectopRAT) proves that user education against disguised threats remains vital, but the attack's success ultimately hinges on the lack of timely detection and response to the post-exploitation activity.
Suggested Corrections:
Palo Alto Networks’ Unit 42 reconstructed the complete attack path to provide critical recommendations:
https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/
According to Unit 42, a global data storage and infrastructure company suffered a 42-day destructive ransomware attack orchestrated by the Howling Scorpius group (Akira ransomware). The initial compromise began when an employee, visiting a compromised car dealership website, was lured via a ClickFix social engineering tactic disguised as a routine CAPTCHA bot verification. Interacting with the fake prompt led to the download of SectopRAT, a .NET-based RAT. Based on CISA’s recent Akira Ransomware advisory update, ClickFix is not considered one of Akira’s typical initial access methods.
The attackers then planted a backdoor for C2 and performed lengthy reconnaissance to map the virtual infrastructure. Over the course of 42 days, they compromised multiple privileged accounts, including domain admins, and moved laterally across the network using multiple protocols (SSH, RDP, SMB). They accessed domain controllers, staged nearly 1 TB of data using WinRAR across multiple file shares, and successfully pivoted from one business unit domain into the core corporate environment and cloud resources, bypassing intended security boundaries. Before deploying the ransomware, the threat actors deleted the client's storage containers containing backups and compute resources, and exfiltrated the data using FileZillaPortable. Finally, they deployed the Akira ransomware across servers in three separate networks, causing virtual machines to shut down and operations to cease, followed by the ransom demand. A critical finding was that the client's two different enterprise-grade EDR solutions recorded all malicious activities in their logs but generated very few alerts. This left the security team with "visibility in theory but not in practice," as the attack indicators remained hidden in plain sight until the damage was done.
Security Officer Comments:
This incident appears to serve as an unusual example of effective long-term espionage, as visibility without effective security alerting could be considered a bigger issue than no visibility at all. The failure of two reportedly enterprise-level EDR systems to generate enough alerts for 42 days of active privilege escalation, lateral movement via protocols (RDP/SSH/SMB), and massive pre-ransomware staging/exfiltration reinforces the potential of incorporating agentic defense options. The initial social engineering vector (ClickFix to download SectopRAT) proves that user education against disguised threats remains vital, but the attack's success ultimately hinges on the lack of timely detection and response to the post-exploitation activity.
Suggested Corrections:
Palo Alto Networks’ Unit 42 reconstructed the complete attack path to provide critical recommendations:
- Network security: Implement network segmentation to isolate critical infrastructure, restricting administrative access to dedicated management VLANs and upgrading perimeter appliances.
- Identity and access management: Rotate all credentials, roll the Kerberos Ticket Granting Ticket (TGT) service account (KRBTGT) to invalidate golden ticket attacks, and implement stricter controls on privileged accounts.
- Endpoint and infrastructure hardening: Deploy properly configured detection across all systems, eliminate end-of-life systems, and maintain current patch levels.
- Cloud security: Strengthen cloud security posture with proper monitoring and backup strategies.
https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/