The SOC case files: Akira ransomware turns victim’s remote management tool on itself

Barracuda’s Managed XDR team recently mitigated an Akira ransomware attack that tried to evade detection by exploiting tools in the target’s infrastructure rather than bringing its own known arsenal, and disguising its malicious activity as everyday IT.

How the attack unfolded

Taking advantage of a national holiday, cybercriminals armed with Akira ransomware, a versatile and opportunistic Ransomware-as-a-Service (RaaS) kit, targeted an organization’s network just before 4:00 a.m.

The attackers gained access to a domain controller (DC) — a critical server responsible for authenticating and validating user access to network resources such as files and applications. The Datto remote monitoring and management (RMM) tool was installed on the DC server.

The attackers deployed an approach known as Living Off The Land (LOTL), which involves using pre-installed and legitimate toolsets to carry out an attack.

They homed in on the RMM tool’s management console and used it, together with several previously installed backup agents, to implement the attack without triggering a security alert for a new software install or suspicious activity.

The Akira RMM attack chain

• The attackers used the Datto RMM to remotely push and execute a PowerShell script from its Temp folder, running with an ‘execution policy bypass’ that allowed it to skip PowerShell’s built-in safety checks.
• The script was executed with system-level privileges, giving it full control over the infected server.
• Shortly after, encoded PowerShell commands were used to run additional tools, and several unknown executable files (binaries) were placed in trusted Windows directories to avoid suspicion.
• These files included some disguised scripts, a script designed to manipulate firewall rules, and one that had been hidden in a non-standard directory, likely an attacker-created staging area.
• Registry changes were made to help the attacker stay hidden or turn off security features.
• The Volume Shadow Copy Service (VSSVC.exe) was stopped on the domain controller a few minutes before file encryption began. This is often done during routine IT maintenance, but it is also used in ransomware attacks as a precursor to encryption because it eliminates copies that could otherwise be used to restore files.
• At 8:54 am, the ransomware payload started to encrypt files, modifying them with the .akira extension.

Fortunately, the domain controller was protected with Barracuda Managed XDR Endpoint Security.

The very first file encryption was detected instantly by XDR’s custom encryption rule, leading to the immediate isolation of the affected device and the end of the attack.

Key learnings

• The attackers didn’t deploy sophisticated new malware or tools that would immediately raise red flags. Instead, they used what was already there — the Datto RMM and the backup agents — trusted tools installed on endpoints.
• Similarly, the attacker’s activity closely mirrored what a backup agent might legitimately do during scheduled jobs. This made everything look like regular IT activity.
• Akira is a clever and inventive RaaS — the developers behind the malware don’t follow a fixed playbook. Their tactics change regularly, which makes it harder to catch them in the early stages of an attack because they don’t match known attack signatures.
• To effectively protect IT environments against varied and versatile attacks, full XDR coverage that extends across endpoints, network, server, cloud and more provides SOC teams with complete visibility and the ability to detect and neutralize threats as early as possible in the attack lifecycle.

Restore and recover

Once the threat was neutralized, the Barracuda Managed XDR team worked with the customer to implement the following:

• Isolate all impacted devices at the organization level
• Trigger rollbacks for all detected threats across the organization
• Run a deep indicator of compromise (IOC) sweep to detect any remaining Akira-related artifacts
• Confirm rollback success and endpoint stability, rebooting devices as required to complete rollback
• Review and work with the customer to harden endpoint policies post-incident
• Validate all actions through SOAR playbooks

Barracuda Managed XDR helps to detect and mitigate such incidents. It continuously monitors endpoints and network activity to spot anomalous behaviors such as unexpected file deletion and registry changes. Managed XDR further provides rapid incident response capabilities, ensuring swift containment and remediation of identified threats. Detailed logs and forensic analysis help trace the origin and scope of the attack, enabling strategic future prevention measures.

By integrating with endpoint detection and response (EDR), Managed XDR enhances visibility into isolated systems and provides actionable insights for mitigation. Proactive threat hunting supported by Managed XDR helps identify persistence mechanisms and eliminate them before attackers gain sustained access.

Visit the website for more information on Barracuda Managed XDR and SOC. For the latest on new features and upgrades and new detections for Barracuda Managed XDR, check out the most recent release notes.

The main tools and techniques used in this attack

Indicators of compromise