Akira Ransomware: Attacking Windows Server via RDP and Evading EDR Using IoT Devices

In 2024, approximately 15% of cybersecurity incidents were linked to the activities of a sophisticated ransomware group called Akira. They have developed new techniques to bypass security defenses, particularly by exploiting unsecured webcams to evade Endpoint Detection and Response (EDR) systems and deploy malware across corporate networks.

This attack method demonstrates how cybercriminals constantly seek new ways to bypass security measures. Below are the details of a complex attack carried out by the Akira ransomware group.

According to cybersecurity specialists from S-RM, the Akira group followed this attack pattern:

1️⃣ Gaining remote access via external networks – The attackers accessed the victim’s system through remote access services.
2️⃣ Establishing persistent access – They installed AnyDesk.exe to maintain long-term access to the network and exfiltrated sensitive data.
3️⃣ Lateral movement via RDP – Using the Remote Desktop Protocol (RDP), they moved within the network, disguising their actions as legitimate system administrator activity, making detection more difficult.
4️⃣ Deploying the ransomware payload – The attackers attempted to upload a malicious executable file, “win.exe,” within a password-protected ZIP archive named “win.zip” onto a Windows server.
5️⃣ Blocked by EDR – The company’s EDR solution identified the file as suspicious and automatically quarantined it, preventing execution.
6️⃣ Using IoT devices – After their initial attempt was blocked, the attackers leveraged the results of an internal network scan and discovered IoT devices within the corporate network, including a webcam and a fingerprint scanner.

One of the attackers’ most unexpected strategies was exploiting a webcam to deliver malicious code. Why did they choose a webcam?

📌 Key vulnerabilities of the device:
✅ Remote shell (remote access capability).
✅ Runs on a lightweight Linux-based OS, capable of executing standard Linux commands.
✅ No EDR or antivirus protection due to limited storage capacity.

The attackers used the compromised webcam to generate malicious Server Message Block (SMB) traffic directed at the Windows server. Since security monitoring tools were unable to detect this unusual traffic source, the attackers successfully continued their attack.

This case highlights how IoT devices are often overlooked in security strategies, creating opportunities for cybercriminals.

SHA-1 Hashes of the Ransomware Samples Used:

🔹 Linux variant: ac9952bcfcecab
🔹 Windows variant: 3920f3c6368651

Security Recommendations

🔹 Segment IoT devices – Separate IoT devices from critical infrastructure within the network.
🔹 Conduct internal network audits – Regularly check the security posture of IoT and other networked devices.
🔹 Keep firmware updated – Apply security patches and software updates to all IoT devices in a timely manner.
🔹 Change default passwords – Replace factory-set passwords on webcams and other IoT devices.
🔹 Turn off unused IoT devices – If an IoT device is not in use, it should be powered off.

The Akira ransomware group continues to develop new evasion techniques, particularly exploiting IoT vulnerabilities to bypass EDR and other security measures. Their attacks can result in data encryption and significant financial losses.

Organizations must take IoT security seriously, implement network segmentation, and strengthen their overall security measures. Otherwise, ransomware attacks will continue to pose a growing threat.