In double-extortion attacks targeting companies worldwide, the Akira ransomware operation employs a Linux encryptor to encrypt VMware ESXi virtual machines. Initially targeting Windows systems in various industries, Akira has now shifted its focus to Linux-based servers. The ransomware gang follows the common approach of stealing data from breached networks and encrypting files to conduct double extortion, demanding large ransom payments
Akira has gained traction since its emergence in March 2023 and has already claimed over 30 victims in the United States alone. The ransomware has targeted organizations in sectors such as education, finance, real estate, manufacturing, and consulting. Recent spikes in ID Ransomware submissions indicate increased activity by the Akira ransomware group.
The Linux encryptor used by Akira is specifically designed to target VMware ESXi servers, which have become more prevalent in enterprise environments due to their efficient resource utilization and device management capabilities. By targeting ESXi servers, the ransomware can potentially encrypt multiple servers running as virtual machines in a single attack.
While Akira’s Linux encryptor lacks advanced features found in other VMware ESXi encryptors, it still provides some customization options for attackers. Command line arguments allow them to define the percentage of encryption, target specific file or folder paths, target network drives, and create child processes for encryption. Notably, the encryption percentage parameter affects the speed of encryption and the likelihood of file recovery without paying the ransom.
The ransomware encrypts files with various extensions, including those commonly associated with databases. Interestingly, the Linux encryptor skips specific Windows folders and executables, suggesting that the Linux variant of Akira may have been ported from the Windows version.
According to the researchers, the Linux encryptor employs multiple symmetric key algorithms, such as AES, CAMELLIA, IDEA-CB, and DES, to encrypt victims’ files. The symmetric key is then encrypted with a public RSA encryption key, preventing decryption without the corresponding private key held by the attackers. Encrypted files are renamed with the .akira extension, and a ransom note named akira_readme.txt is created in each encrypted folder.
The expansion of Akira’s targeting scope, coupled with the adoption of Linux support, signifies an alarming trend among ransomware groups. Many threat actors are increasingly incorporating Linux encryptors, particularly those targeting VMware ESXi servers, as it allows them to maximize their profits. Several other ransomware operations, such as Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive, have also employed Linux ransomware encryptors to target VMware ESXi servers.
The addition of Linux capabilities to ransomware operations underscores the need for organizations to bolster their cybersecurity defenses, including robust backup strategies, comprehensive threat detection and prevention systems, and user education to mitigate the risk of falling victim to such attacks.