How a Plaintext File On Users’ Desktops Exposed Secrets Leads to Akira Ransomware Attacks

A threat actor who gained initial access through a SonicWall VPN device was able to escalate their attack by finding Huntress recovery codes saved in a plaintext file on a user’s desktop.

This allowed the attacker to log into the client’s security portal, where they attempted to remediate incident reports and uninstall security agents to cover their tracks.

This incident is an offshoot of a wider campaign targeting SonicWall VPNs, which led to the rapid deployment of Akira ransomware across multiple victim environments.

This particular case highlights the significant risk of storing sensitive credentials in easily accessible formats.

The Huntress Security Operations Center (SOC) in the APAC region first detected suspicious activity when multiple administrative users began executing commands to delete shadow copies across several hosts within an organization. In response, analysts initiated a mass isolation of systems to contain the threat.

The investigation revealed that the Akira ransomware binary, w.exe, had been executed from a user’s desktop, leading to the encryption of that workstation.

However, the quick containment prevented the ransomware from spreading throughout the entire environment.

SOC analyst Michael confirmed through event log analysis that the compromised user accounts were accessed from internal IP addresses in the 192.168.x.x range.

These IPs were likely assigned via DHCP to systems controlled by the Akira threat actors after they compromised the organization’s SonicWall VPN.

This technique allows attackers to blend in with legitimate network traffic, bypassing endpoint detection and response (EDR) solutions, as the rogue systems do not have security agents installed and their activity appears to originate from a trusted internal source.

The Huntress SOC issued a formal incident report identifying the SonicWall VPN as the likely point of entry and justifying the mass isolation response.

The team then collaborated with the Threat Hunting & Response team for a deeper analysis to provide the partner with comprehensive intelligence on the active threat.

Certificate Export And Abuse

During the investigation of the Domain Controller (DC), analysts observed the compromised user executing commands to list and export certificates from the local certificate store.

The attacker specifically used certutil -store My to enumerate certificates in the personal store, which could contain sensitive keys for authentication, encryption, or signing.

Subsequently, the attacker exported a certificate in PFX format, which includes both the public and private keys.

Compromising such a certificate, if used for user or device authentication, could allow an attacker to impersonate legitimate users or machines, facilitating credential theft and lateral movement.

While this activity is a strong indicator of preparations for persistent access, the root cause for this specific action could not be determined during the incident.

While enumerating administrative shares from the DC, the threat actor discovered and accessed a plaintext file on an internal security engineer’s desktop named Huntress_recovery_codes-.txt.

These codes serve as a backup to bypass multi-factor authentication (MFA). Their compromise effectively grants an attacker full access to the Huntress console, allowing them to tamper with detection and response capabilities.

Huntress analysts noticed a security engineer’s account began resolving active incident reports within the Huntress portal, which was anomalous given the ongoing incident.

The SOC team quickly escalated their concerns, and the partner confirmed that the activity was not performed by their personnel.

A review of portal activity revealed that a known malicious IP address, 104.238.221[.]69, previously associated with other SonicWall compromises, had accessed the portal using the stolen recovery codes.

The attacker then manually closed incident reports and initiated the uninstallation of Huntress agents from compromised systems to suppress visibility and hinder the response.

This sequence of events highlights how improperly stored recovery codes can become a single point of failure, allowing an attacker to bypass MFA and gain privileged access.

In this case, the attacker was able to impersonate a trusted user, access the security portal, suppress alerts, and attempt to remove endpoint protection.

The Dangers Of Credentials Stored In Plaintext

Storing credentials and recovery codes in plaintext poses a significant security risk. Once obtained, they can be used to compromise hosts and access critical third-party applications and security platforms.

This access can be weaponized to disable defenses and execute further malicious actions.

Organizations should treat recovery codes with the same level of security as privileged account passwords. Recommended practices include:

• Avoid plaintext storage: Do not save recovery codes in unprotected text files or on shared drives.
• Use a password manager: Store codes and credentials in an encrypted password manager with a strong master password.
• Encrypt offline storage: If using offline storage, ensure the file is encrypted and password-protected on an encrypted drive.
• Rotate and monitor: Periodically regenerate recovery codes and monitor for unusual login activity.

Indicators Of Compromise

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free