Step-by-Step: How to Identify if You Were Hit by the Akira Megazord or STONETOP Variant (2025 Deep Dive)

The 2025 evolution of Akira ransomware, primarily manifesting as the “Megazord” encryptor payload delivered by the “STONETOP” loader, represents a significant leap in stealth and sophistication. Moving beyond simple PowerShell scripts and full-file encryption, this variant targets hypervisors (Nutanix AHV, VMware ESXi 8.x) with specialized tools, employs intermittent encryption for speed, and establishes kernel-level persistence to hinder recovery efforts.

Traditional identification methods, focused solely on the .akira file extension or the akira_readme.txt ransom note, are insufficient for comprehensive incident response. This guide provides a deep technical dive into the forensic indicators required to definitively identify a Megazord/STONETOP infection, understand its scope, and prepare for effective eradication and recovery.

Phase 1: Initial Triage and Obvious Indicators (Rapid Assessment)

While rudimentary, these are the first signs visible to an IT generalist.

1. File Extension Changes

• Primary: Files will typically have the .akira extension appended (e.g., document.docx.akira).
• Newer/Rare: We have observed some 2025 Megazord campaigns using .aki or even .powerranges extensions, especially in targeted Linux/ESXi deployments. Always verify the ransom note content, not just the extension.

Also read: Akira Ransomware Incident Response Checklist 2025

2. Ransom Note Presence

• Standard: A text file named akira_readme.txt will be found in almost every encrypted directory.
• Content Consistency: The note’s content usually follows a consistent template, often starting with phrases like “Hi friends” and detailing data exfiltration threats and TOR (.onion) contact links.

3. System Performance Anomalies

• High CPU/Disk I/O: During active encryption, affected servers or workstations will exhibit unusually high CPU usage (near 100%) and sustained disk read/write activity, even when no user applications are running.
• Slow System Response: General system sluggishness, delays in opening applications, or network latency can be early indicators.

4. Disabled Security Software

• EDR/AV Deactivation: Akira, particularly the STONETOP loader, targets and disables Endpoint Detection and Response (EDR) agents and traditional antivirus (AV) software. Check for:
  • Disabled services (e.g., MsMpSvc, CrowdStrike Falcon Sensor, SentinelOne Agent).
  • Missing security event logs (Windows Event ID 1102: “The audit log was cleared”).
  • Bypassed AMSI (Antimalware Scan Interface) logs.

5. Network Share Inaccessibility

• SMB/NFS Shares: Users will report being unable to access network drives or CIFS/NFS shares that were previously available. This indicates successful encryption of shared storage.

Phase 2: Host-Based Forensics (Deep Dive into Compromised Systems)

This phase requires access to affected systems and a forensic toolkit. Focus on artifacts left by the STONETOP loader and Megazord encryptor.

1. Process Analysis and Execution Artifacts

• Unusual Processes: Look for recently executed processes that are:
  • Signed with Unknown Certificates: STONETOP often uses stolen or newly generated code-signing certificates.
  • Running from Odd Locations: C:\Users\Public or C:\ProgramData are common staging grounds for STONETOP.
  • Suspicious Parent/Child Relationships: E.g., cmd.exe spawning powershell.exe which then spawns an unsigned executable with high privileges.
• Prefetch Files (.pf): Analyze Prefetch files (C:\Windows\Prefetch) for recent executions of unusual binaries, especially those not typically found in your environment or running from temporary directories.
• Shim Cache (AppCompatCache): Examine the Shim Cache (Registry: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache) for a historical record of recently executed applications.

2. File System Artifacts

• Dropped Executables: Search for suspicious executables dropped around the time of the attack. STONETOP often renames itself to appear legitimate (e.g., ServiceHost.exe, lsass.exe in wrong directories, WinSync.exe).
• Temporary Files: Look for large temporary files created around the encryption time, especially in %TEMP% or C:\Windows\Temp. These can be staging areas for exfiltrated data or the encryptor payload itself.
• fsutil or del commands: Examine MFT (Master File Table) for fsutil usn deletejournal or fsutil file setzerodata commands, used by Akira to delete logs and overwrite files.

3. Registry Analysis (STONETOP Persistence & Evasion)

The STONETOP loader is adept at establishing persistence.

• Run Keys: Check common Windows Run Keys for suspicious entries that execute at startup:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run (for 64-bit systems running 32-bit malware)
• Service Creation: Look for newly created or modified Windows Services, especially those configured to run automatically and execute suspicious binaries.
• Task Scheduler: Analyze scheduled tasks (schtasks.exe or Get-ScheduledTask) for new entries designed to maintain persistence or re-launch the encryptor. STONETOP often uses legitimate-looking names.
• Security Disabling: Investigate registry modifications related to disabling security features:
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (IFEO debugger entries to hijack AV processes).
  • Disabling AMSI logging or scanning.

4. Event Log Analysis (Crucial for Timeline & Evasion)

• Security Event Log (Windows Event Viewer):
  • Event ID 4624 (Successful Logon): Look for unusual logon times, source IPs, or user accounts (especially local administrator accounts) that shouldn’t be active.
  • Event ID 4625 (Failed Logon): Indicate brute-force attempts prior to successful compromise.
  • Event ID 4688 (Process Creation): Enable Advanced Auditing to capture command-line arguments. Look for suspicious powershell.exe commands with obfuscated scripts or direct execution of binaries from unusual paths.
  • Event ID 4720 (User Account Created): STONETOP often creates new, hidden administrator accounts.
  • Event ID 1102 (The audit log was cleared): A strong indicator of attacker activity.
• System Event Log: Look for service creation/deletion or unexpected system reboots.
• PowerShell Operational Logs: Crucial for detecting script-based attacks. Look for obfuscated commands, base64-encoded strings, or System.Net.WebClient downloads.
• Cisco ASA/VPN Logs: If your initial access vector was a VPN vulnerability (CVE-2024-40766), examine VPN logs for successful logins from unusual geo-locations or during off-hours.

5. Memory Forensics (Volatility/RedLine)

• Process Injection: Akira (STONETOP) often injects malicious code into legitimate processes (e.g., lsass.exe, explorer.exe).
• Network Connections: Analyze active network connections from memory to identify C2 (Command and Control) communication, especially to Cloudflared or other tunneling tools used by STONETOP.
• Credential Dumping: Look for evidence of credential dumping tools (e.g., Mimikatz, Lazagne) in memory, often targeting lsass.exe.
• Malicious Drivers: Identify any newly loaded kernel drivers, as STONETOP uses BYOVD to disable EDR.

Phase 3: Network & Hypervisor Forensics (Scope and Lateral Movement)

This phase determines the extent of the breach and identifies advanced attack techniques.

1. Network Traffic Analysis

• Unusual Outbound Connections: Look for connections to unusual IP addresses or domains. STONETOP uses Cloudflared (Cloudflare Tunnel) for highly encrypted C2 communication, which can blend in with legitimate Cloudflare traffic.
• High Volume Outbound Traffic: Indicates data exfiltration. Look for large data transfers via SMB, FTP, or rclone to external IPs, especially before encryption.
• Internal Scanning: Evidence of internal network scanning (e.g., Nmap, AdFind.exe, SoftPerfect Network Scanner) indicates lateral movement.
• TOR Traffic: While TOR itself isn’t malicious, unexpected TOR traffic originating from your network, especially from non-proxy servers, can indicate attacker C2.

2. Hypervisor-Specific Indicators (VMware ESXi & Nutanix AHV)

The 2025 Megazord variant has a strong focus on hypervisors.

VMware ESXi:

• Encrypted VMDK Files: The primary indicator. All .vmdk files will have .akira appended.
• Log Analysis (/var/log/hostd.log, vpxa.log, auth.log):
  • Look for failed login attempts (brute-force).
  • Unauthorized esxcli commands or PowerCLI scripts being executed.
  • Unusual VM shutdowns or suspensions.
• ESXi Cron Jobs: Check /var/spool/cron/crontabs/root for suspicious entries used for persistence.
• Open Ports: Look for unexpected open ports (netstat -tulpn) that could indicate a C2 channel or persistence mechanism.
• Stolen SSH Keys: Check for newly added or modified SSH authorized keys in /etc/ssh/keys-root/ or user home directories.

Nutanix AHV:

• Encrypted VDisk Files: .adisk files within the storage containers will be encrypted.
• Prism Central/Element Logs:
  • Unusual API Calls: Look for ncli or restapi calls to power off VMs, delete snapshots, or modify network configurations.
  • Login Anomalies: Successful logins to Prism from unusual IPs or user accounts (especially admin or other privileged users).
  • Volume Group Deletion: Evidence of Volume Group snapshots being deleted or modified via Prism.
• Guest VM Analysis: Check the guest VMs for the akira_readme.txt and .akira extensions.
• AHV Host Shell Logs: Examine the AHV host logs for manual commands, especially those that interact with storage or VMs.
• Indicators of rclone: Akira is known to use rclone to exfiltrate data from Nutanix environments. Look for its presence in logs or temporary directories.

Phase 4: Data Exfiltration Confirmation (The “Double Extortion” Element)

Identifying exfiltration confirms the “double extortion” threat.

1. Firewall/Proxy Logs

• Volume of Outbound Data: Look for unusually high outbound data transfers (Gigabytes or Terabytes) around the time of the initial breach.
• Destination IPs: Track the destination IPs of large data transfers. These often lead to cloud storage providers (Mega.nz, Sync.com, File.io) or attacker-controlled VPS instances.

2. Dark Web Monitoring

• Akira Leaks Site: Post-incident, monitor the official Akira leak site (typically a TOR .onion address like akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion) for your organization’s name or specific data sets. Our team conducts this proactively.

Conclusion: The Need for Specialized Forensics

Identifying a 2025 Akira Megazord/STONETOP infection goes far beyond a simple file extension check. It demands a deep understanding of evolving attack vectors (CVE-2024-40766, CVE-2024-40711), evasion techniques (BYOVD, Cloudflared), and hypervisor-specific targeting.

Attempting self-recovery without a comprehensive forensic analysis can lead to reinfection, permanent data loss, or legal/compliance penalties. Our team specializes in identifying these advanced indicators to ensure a complete, compliant, and permanent recovery from the latest Akira variants.