Project case study

The Buyer / Akira Ransomware Threat Hunt

A cyber-range Akira ransomware investigation reconstructing remote access, staging, lateral movement, defense evasion, data staging, and impact artifacts using Microsoft Defender telemetry.

Ransomware investigation scope

2

Affected Hosts

40

Flag Analyses

Jan 27, 2026

First Known IOC

Jan 28, 2026

Last Known IOC

Problem

The investigation needed to determine how a ransomware event unfolded across AS-PC2 and AS-SRV, identify supporting evidence, map observed behavior to ATT&CK, and document detection gaps.

Approach

  • Scoped the hunt to Microsoft Defender Advanced Hunting tables covering process, file, network, registry, logon, and device events.
  • Used Akira ransom-note and .akira file artifacts to anchor the impact phase.
  • Pivoted from AnyDesk relay traffic to suspicious execution path, external IP, and user context.
  • Correlated wsync.exe, suspicious domains, hashes, and follow-on tooling.
  • Investigated Defender registry tampering, LSASS-related telemetry, internal enumeration, SMB traffic, PowerShell downloads, data staging, shadow copy deletion, and cleanup behavior.
  • Mapped the observed activity to MITRE ATT&CK and documented detection opportunities.

Evidence

  • The repository README contains an executive summary, scope, ATT&CK mapping, 40 flag analyses, KQL queries, screenshots, detection gaps, and final assessment.
  • Documented ransomware indicators include an Akira ransom note, .akira marker, updater.exe, and SHA256 e609d070ee9f76934d73353be4ef7ff34b3ecc3a2d1e5d052140ed4cb9e4752b.
  • Remote access evidence includes AnyDesk activity from C:\Users\Public, relay-0b975d23.net.anydesk.com, external IP 88.97.164.155, and user David.Mitchell.
  • Defense evasion and impact evidence includes kill.bat, DisableAntiSpyware, reg.exe, wmic shadowcopy delete, vssadmin delete shadows /all /quiet, and clean.bat.
  • The report supports data staging through exfil_data.zip but does not claim confirmed successful exfiltration.

Outcome

The report confirmed AS-PC2 and AS-SRV as affected hosts, documented a timeline from first known IOC on January 27, 2026 at 19:13:11 UTC through last known IOC on January 28, 2026 at 04:43:30 UTC, and identified detection recommendations for remote access misuse, Defender tampering, tool transfer, archive creation, shadow copy deletion, and privileged activity correlation.

What I learned

  • Ransomware investigations require correlating impact artifacts with earlier remote access, staging, discovery, and defense evasion activity.
  • MDE telemetry can support a timeline across process, file, registry, network, and logon evidence.
  • Detection recommendations are stronger when tied to specific observed commands, hashes, paths, accounts, and ATT&CK techniques.