Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to Forty-Two Days of Compromise
unit42.paloaltonetworks.com/fake-capt…
Unit 42 recently assisted a global data-storage and infrastructure company that suffered a destructive ransomware attack. The incident was carried out by Howling Scorpius, the group behind Akira ransomware. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a forty-two-day compromise that exposed critical security gaps.
The case reinforces an important truth: deploying security tools is not the same as achieving true coverage or full visibility across an environment.
The attack began when an employee in one division visited a compromised car-dealership website. What looked like a standard bot-verification prompt — the familiar “click to prove you’re human” challenge — was actually a ClickFix social-engineering tactic. ClickFix disguises malware delivery as a legitimate security check, tricking users into downloading malicious payloads under the guise of identity verification.
When the employee interacted with the fake CAPTCHA, they unknowingly downloaded SectopRAT malware, giving Howling Scorpius its initial foothold. SectopRAT is a .NET-based remote-access Trojan that enables attackers to hide code execution, remotely control infected systems, monitor activity, steal data and run commands in stealth mode.
