One Click, 42 Days: Akira Ransomware Used CAPTCHA Decoy to Destroy Cloud Backups and Cripple Storage Firm

A newly released analysis from Unit 42 details how a global data storage and infrastructure company was crippled by a destructive ransomware attack—all triggered by one employee’s click on a malicious CAPTCHA decoy.

According to Unit 42, “the attack began when an employee… visited a compromised car dealership website” and clicked what appeared to be a routine bot-verification prompt. The seemingly harmless action was actually a ClickFix social engineering tactic, a technique that disguises malware delivery as a standard CAPTCHA interaction.

From that single interaction, the attackers—identified as Howling Scorpius, distributors of the Akira ransomware—launched a 42-day compromise that spiraled into a full-blown corporate crisis.

What looked like a standard “click to prove you’re human” moment was anything but. The decoy delivered SectopRAT, a .NET-based remote access Trojan that allowed attackers to hide code execution and control the infected workstation.

Unit 42 states: “When the employee interacted with the fake CAPTCHA, they unknowingly downloaded SectopRAT malware, giving Howling Scorpius their foothold.”

SectopRAT enabled the attackers to monitor activity, steal data, and execute commands quietly—laying the foundation for a slow, methodical takeover.

Once inside, Howling Scorpius moved with patience and precision. The attackers:

• established a backdoor for persistent command-and-control
• mapped the virtual infrastructure
• compromised multiple privileged accounts, including domain admins
• moved laterally using RDP, SSH, and SMB
• accessed domain controllers
• staged massive file archives using WinRAR

Unit 42 notes: “Over 42 days, the threat actors accessed domain controllers and staged massive data archives using WinRAR across multiple file shares.”

They eventually pivoted from a single business unit domain into the corporate network, then further into cloud resources, crossing boundaries that should have contained them.

Before unleashing ransomware, the attackers executed one of the most damaging steps of the entire campaign:

• they deleted cloud storage containers holding backups and compute resources, leaving the company without a safety net.
• The attackers also exfiltrated nearly 1 TB of data using FileZillaPortable before finally deploying Akira ransomware across three separate networks—bringing virtual machines offline and halting operations.

One of the most striking discoveries by Unit 42 was that the victim had security visibility—but it wasn’t being used effectively.

Despite having two enterprise-grade EDR solutions deployed, the tools were essentially silent. Unit 42 reports:

“These tools recorded the malicious activity in their data logs… but they generated very few alerts.”
“The security team had visibility in theory but not in practice.”

Every step of the attack—lateral movement, privilege escalation, file staging—was logged but went unnoticed for over a month.

Related Posts:

• SectopRAT: A Deep Dive into a Stealthy .NET-Based Trojan
• NordVPN Impersonators Exploit Bing Ads to Spread SecTopRAT Malware
• Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
• Cybercriminals Mimic Slack in Sophisticated Malvertising Campaign
• Akira Ransomware: The New Threat Targeting Windows & Linux