In its double-extortion attacks on businesses worldwide, the Akira ransomware operation encrypts VMware ESXi virtual machines with a Linux encryptor.
Akira first appeared in March 2023, aiming Windows systems in education, finance, real estate, manufacturing, and consulting among other sectors.
Similar to other enterprise-focused ransomware gangs, the threat actors encrypt files and steal data from compromised networks in order to double-extort victims for several million dollars.
Over 30 people have been hacked to death by the ransomware operation since it started, with two distinct activity spikes in ID Ransomware submissions at the end of May and right now.
Akira targets VMware ESXi
Malware analyst rivitna was the first to discover the Linux version of Akira. Last week, he posted a sample of the new encryptor on VirusTotal.
BleepingComputer’s investigation of the Linux encryptor shows it has an undertaking name of ‘Esxi_Build_Esxi6,’ demonstrating the danger entertainers planned it explicitly to target VMware ESXi servers.
For instance, /mnt/d/vcprojects/Esxi_Build_Esxi6/argh.h is one of the project’s source code files.
Throughout the course of recent years, ransomware posses have progressively made custom Linux encryptors to encode VMware ESXi servers as the undertaking moved to involve virtual machines for servers for further developed gadget the board and effective utilization of assets.
By focusing on ESXi servers, a danger entertainer can encode numerous servers running as virtual machines in a solitary run of the ransomware encryptor.
Be that as it may, dissimilar to other VMware ESXi encryptors investigated by BleepingComputer, Akira’s encryptors don’t contain many high level elements, for example, the programmed closing down of virtual machines prior to scrambling records utilizing the esxcli order.
With that said, the binary does support a few command line arguments that allow an attacker to customize their attacks:
- -p –encryption_path (targeted file/folder paths)
- -s –share_file (targeted network drive path)
- – n –encryption_percent (percentage of encryption)
- –fork (create a child process for encryption)
The -n parameter is particularly notable as it allows attackers to define how much data is encrypted on each file.
The lower that setting, the speedier the encryption, but the more likely that victims will be able to recover their original files without paying a ransom.
When encrypting files, the Linux Akira encryptor will target the following extensions:
.4dd, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wa, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .temx, .tmd, .tps, .trc, .trm, .udb, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .lut, .maw, .mdn, .mdt, .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvo, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso
Strangely, the Linux locker appears to skip the following folders and files, all related to Windows folders and executables, indicating that the Linux variant of Akira was ported from the Windows version.
winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, Boot, Windows, Trend Micro, .exe, .dll, .lnk, .sys, .msi
The encryptor employs multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES, for file encryption, according to Cyble’s analysts, who also published a report today about the Linux version of Akira.
The symmetric key is utilized to encode the casualties’ records and is then scrambled with the RSA public key. This prevents access to the decryption key unless the attackers hold the RSA private decryption key.
Encrypted files with be renamed to have the .akira extension, and a hardcoded ransom note named akira_readme.txt will be created in each folder on the encrypted device.
The expansion of Akira’s targeting scope is reflected in the number of victims announced by the group recently, which only makes the threat more severe for organizations worldwide.
Unfortunately, adding Linux support is a growing trend among ransomware groups, with many using readily-available tools to do it, as this is an easy and almost foolproof way to increase profits.
Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.