Hybrid Malware Analysis for Threat Intelligence: Unveiling Akira Ransomware

Authors

  • Jeenyta Mahendrabhai Desai
  • Chetan J. Shingadiya

DOI:

https://doi.org/10.22399/ijcesen.3393

Keywords:

Akira Ransomware, Hybrid Analysis & Static analysis, Ghidra, PEStudio, Threat Intelligence, Indicators of Compromise (IOC)

Abstract

This paper presents an in-depth technical analysis of the Akira ransomware family, which has emerged as a prominent threat in the cybersecurity landscape between 2023 and 2025. Known for its advanced encryption techniques, anti-analysis mechanisms and targeted extortion campaigns, Akira demonstrates a sophisticated evolution of modern ransomware.The study applies both static and dynamic analysis methodologies to deconstruct Akira’s behavior and internal structure. Static analysis using tools such as Ghidra, PEStudio and FLOSS is used to extract key artifacts, analyze its PE structure and examine its encryption implementation and obfuscation techniques. Complementary dynamic analysis is performed in controlled sandbox environments using Any.Run, Procmon and Wireshark, revealing the ransomware's real-time activities, including file encryption behavior, registry modifications and potential network communications with command-and-control (C2) infrastructure. The research identifies critical indicators of compromise (IOCs), analyzes the encryption flow involving ChaCha20 and RSA and documents Akira’s ransomware note deployment and persistence mechanisms. The findings aim to support the development of more effective detection, classification and response frameworks in malware analysis and threat intelligence operations. This paper highlights how hybrid analysis techniques can uncover both surface-level and deeply embedded functionalities of emerging ransomware variants like Akira.

References

[1] Vinod, P., Laxmi, V., Gaur, M. S., & Conti, M. (2014). Survey on ransomware: Evolution, taxonomy, and defense solutions. Computers & Security, 74, 302–322.

[2] Alam, M., et al. (2020). A Survey on Static and Dynamic Malware Analysis Techniques: Benefits, Limitations and Future Research. In Proceedings of the 2020 IEEE Conference on Computer and Applications (ICCCA).

[3] Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). PayBreak: Defense against cryptographic ransomware. In ACM Asia Conference on Computer and Communications Security (pp. 599–611).

[4] Anderson, B., & McGrew, D. (2017). Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity. ACM CCS.

[5] Vinayakumar, R., Soman, K. P., & Poornachandran, P. (2019). Deep learning approach for intelligent intrusion detection system. IEEE Access, 7, 41525–41550.

[6] Liao, Q., Zhao, Q., & Doupe, A. (2016). Behind the scene: Automated analysis of ransomware attack behavior. Proceedings of the Symposium on Electronic Crime Research.

[7] Idika, N., & Mathur, A. P. (2007). A Survey of Malware Detection Techniques. Purdue University Technical Report.

[8] https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/

[9] https://www.reddit.com/r/sysadmin/comments/1crmt10/we_are_the_team_behind_the_decryption_of_the/

[10] U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (HC3), Akira Ransomware Analyst Note, Analyst Note ID#202402071200, Feb. 2024. [Online]. Available: https://www.hhs.gov/HC3

[11] E. L. Lang, "Seven (Science-Based) Commandments for Understanding and Countering Insider Threats," Counter-Insider Threat Research and Practice, vol. 1, no. 1, 2022. [Online]. Available: https://citrap.scholasticahq.com

[12] Trend Micro Research, "Ransomware Recap 2023," Trend Micro, 2023. [Online]. Available: https://e.cyberint.com/hubfs/Ransomware%20Recap%202023.pdf

[13] Arctic Wolf Networks, "Conti and Akira: Chained Together? Analyzing Overlapping Financial Infrastructure," Arctic Wolf Blog, 2023. [Online]. Available: https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/

[14] CISA, "Stop Ransomware," Cybersecurity & Infrastructure Security Agency, [Online]. Available: https://www.cisa.gov/stopransomware

[15] S. Jaros, B. Heuer, and C. Gregory, "Resource Exfiltration by Federal Employees," Defense Personnel and Security Research Center (PERSEREC), DoD, 2019.

[16] MalwareBazaar. (n.d.). MalwareBazaar database of malicious software.

[17] VirusTotal. (n.d.). VirusTotal — analyze suspicious files and URLs.

[18] NSA. (2018). ChaCha20 and Poly1305 for IETF protocols (RFC 8439). Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc8439

[19] PEStudio. (n.d.). PEStudio – Malware Analysis Tool.

[20] National Institute of Standards and Technology (NIST). (2015). Guide to Malware Incident Prevention and Handling for Desktops and Laptops (NIST SP 800-83 Rev.1).

[21] Any.Run. (n.d.). Interactive Malware Analysis Sandbox.

[22] FLOSS – FireEye Labs Obfuscated String Solver. (n.d.).

[23] Ghidra Software Reverse Engineering Framework. (n.d.). National Security Agency.

[24] YARA. (n.d.). YARA – The pattern matching swiss knife for malware researchers.

[25] MITRE ATT&CK. (n.d.). Tactics, Techniques and Procedures Matrix.

Downloads

Published

2025-07-21

How to Cite

Jeenyta Mahendrabhai Desai, & Chetan J. Shingadiya. (2025). Hybrid Malware Analysis for Threat Intelligence: Unveiling Akira Ransomware. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3393

Issue

Vol. 11 No. 3 (2025): IJCESEN

Section

Research Article

License

Copyright (c) 2025 International Journal of Computational and Experimental Science and Engineering

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.