-
An Akira ransomware affiliate exploited Easyupload.io, a file-sharing platform operated by LimeWire, to push stolen data out of a victim’s network before deploying the ransomware.
-
The attackers created a fresh virtual machine inside the victim’s environment to dodge installed security tools, then disabled Microsoft Defender within minutes of logging in.
-
Huntress investigators reconstructed the full attack timeline using event logs on Windows, endpoint telemetry, forensic analysis of a virtual HDD (hard disk) file, and browser artifacts.
Akira ransomware operators have found a new way to move stolen data out of victim environments quietly. A recent attack, detected on May 29, revealed that an affiliate used Easyupload.io, a drag-and-drop file transfer service owned by LimeWire, to exfiltrate archived data before triggering the encryption stage. Huntress’ Security Operations Center caught the intrusion after identifying unauthorized remote access to a domain controller.
The initially compromised endpoint went offline early in the investigation. Huntress analysts reconstructed the full attack chain using Windows event logs, endpoint telemetry, browser artifacts, and forensic examination of a virtual HDD file (VHDX), giving investigators a clear picture of everything the attackers touched.
Attackers Built a Blind Spot Inside the Network
The threat actors started with reconnaissance of Active Directory, looking into files with the names “AdComp.txt” and “AdUsers.txt”, which contained details on domain users and computers. They then moved to a file server, used WinRAR to archive data, and used WinSCP to transfer files in preparation for exfiltration.
The most notable technique was the creation of a new virtual machine directly inside the victim’s own environment. Because the VM was freshly deployed, it carried none of the organization’s existing security tools, including the Huntress agent. This gave the attackers a clean workspace with minimal detection risk.
Huntress analysts deployed and looked into the VM’s VHDX file and found that the bad actors turned off Microsoft Defender in a few minutes after logging in. After that, they went into network shares, set up WinRAR, and staged materials for theft.
The VM also contained clear evidence of ransomware preparation. Investigators found that the threat actor accessed an archive holding multiple versions of the encryptor for Akira and changed the name of an executable file to “akira.exe.”
LimeWire Platform Served as the Exit Route
Browser history inside the VM showed the attacker searching Bing for “easyupload” before landing on Easyupload.io. Huntress believes the platform served as the exit route for archived stolen data, used just before the ransomware went live.
Akira’s tactics have been used in multiple attacks. The ransomware gang recently shut down a US cinema chain, demonstrating the group’s reach across different industries. Not too long after going to the site, the bad actors deployed “akira.exe” against the mounted network shares, triggering the encryption phase.
According to Huntress, the attack moved quickly and involved little effort to conceal activity that goes above turning off Microsoft Defender. Browser history, Logs, and other forensic artifacts remained largely intact, giving investigators an unusually complete timeline of the intrusion.
Legitimate Tools, Growing Threat
The case adds to a growing list of incidents where ransomware operators abuse legitimate platforms to move stolen data. Huntress noted that operators in previous attacks relied on tools and services including Restic, MegaSYNC, cloud storage platforms, and s5cmd, to pull data out of victim environments without triggering alarms.
Huntress researchers recommend that organizations monitor for unauthorized access attempts, unexpected virtual machine creation, and suspicious use of archiving and file transfer tools. According to the researchers, these activities frequently signal data staging and exfiltration in the window just before ransomware deployment hits.
