An Akira ransomware affiliate used Easyupload.io, a file-sharing service operated by LimeWire, to exfiltrate stolen data during a recent attack.
The incident was detected on May 29 after Huntress' SOC identified unauthorized remote access to a domain controller. Although the initially compromised endpoint was taken offline, investigators reconstructed the attack using endpoint telemetry, Windows event logs, browser artifacts, and forensic analysis of a virtual hard disk (VHDX) file.
The attackers first conducted Active Directory reconnaissance, reviewing files named AdUsers.txt and AdComp.txt containing information on domain users and computers. They then moved to a file server, where they used WinRAR to archive data and WinSCP to transfer files, likely for exfiltration.
A key finding was the attackers' use of a hypervisor to create a new virtual machine inside the victim's environment. Because the VM was newly deployed, it lacked the organization's security tools, including the Huntress agent, allowing the attackers to operate with minimal detection.
Huntress analysts mounted and examined the VM's VHDX file, revealing that the attackers disabled Microsoft Defender within minutes of logging in. They then accessed network shares, installed WinRAR, and prepared data for theft.
The VM also contained evidence of ransomware staging. Investigators found that the threat actor accessed an archive containing multiple versions of the Akira encryptor and renamed one executable to akira.exe.
Browser history showed the attacker searching Bing for “eayupload” before visiting Easyupload.io, a drag-and-drop file transfer service owned by LimeWire. Huntress believes the platform was used to exfiltrate archived data before the ransomware was deployed. Shortly after visiting the site, the attacker launched akira.exe against mounted network shares.
According to Huntress, the Akira ransomware attack moved quickly and involved little effort to hide activity beyond disabling Microsoft Defender. Logs, browser history, and other artifacts remained intact, providing investigators with a clear timeline of the intrusion.
The case highlights the continued abuse of legitimate services for data theft. Huntress noted that ransomware operators have previously relied on tools and platforms such as Restic, MegaSYNC, cloud storage services, and s5cmd to move stolen data out of victim environments.
The researchers recommend monitoring for unauthorized access, unexpected VM creation, and suspicious use of archiving and file-transfer tools, which often signal data staging and exfiltration activity preceding ransomware deployment.
Leave a Reply