Analysing Akira ransomware

21 views

Skip to first unread message

Carlos Lopez

unread,

Feb 18, 2025, 12:58:59 AMFeb 18

to velocirapt...@googlegroups.com

Hi all,

Last week one of my company's laptops was infected by the Akira ransomware. I asked a colleague to collect evidence and for this I created an offline collector using the Windows.KapeFiles.Targets artifact selecting "_SANS_triage" as a collection.

Once my colleague sent me the resulting .zip file, I tried to import it into my velociraptor server (using Windows.KapeFiles.Extract artifact) but it returns the error:

File /uploads/ntfs/%5C%5C.%5CC%3A/$Extend/$UsnJrnl%3A$J is too sparse - unable to expand it.

Even with the error, in the output directory I can see that the Windows event log evtx files and the MFT table are there.

How can I proceed from here with Velociraptor in order to detect from where Akira's ransomware or how many actions/modifications have been performed by Akira? Do I need to configure some hunts point to directory where I have extracted the data?

Many thanks

Best regards,
C. L. Martinez

Mike Cohen

unread,

Feb 18, 2025, 2:07:22 AMFeb 18

to Carlos Lopez, velociraptor-discuss

That should be fine. The Journal file is normally very sparse so it can not be padded out but importing it should keep it as sparse.

You said you tried to import it so that would imply you use https://docs.velociraptor.app/artifact_references/pages/server.utils.importcollection/ which should just keep the file as sparse.

Once you import the file you can download it from the files upload tab.

If you want to extract the files for another tool to look at you can just use the velociraptor unzip command (use -h) to see how to use it. There are options there to deal with sparse files.

Also now you can use fuse on Linux to avoid importing it at all and just mount the collection.

Thanks

Mike

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/AM6PR08MB504601B3B28571434D148695DBFA2%40AM6PR08MB5046.eurprd08.prod.outlook.com.

Reply all

Reply to author

Forward

0 new messages