Attention! The Linux version of Akira ransomware for VMware ESXi servers

Tech 2023-07-01 01:39:00 Source: Network

Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting

Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.

Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting.

Like other ransomware gangs targeting businesses, these attackers steal data from compromised networks, encrypt files, perform double ransomment on victims, and demand ransom payments of up to millions of dollars.

Since its launch, more than 30 victims have been victimized in North America alone, with two clear activity peaks in ID ransomware submissions at the end of May and now.

Akira's past few months of activities MOVEit

Akira for VMware ESXi

The Linux version of Akira was first discovered by malware analyst Rivitna, who shared a sample of a new encryptor on VirusTotal last week.

Analysis shows that the project name of the encryptor is "Esxi_Build_Esxi6", indicating that the attacker specifically designed it for the VMware ESXi server.

For example, a source code file for a project is
/Mnt/d/vcprojects/Essi_ Build_ Esxi6/argh. h.

In the past few years, as businesses have shifted to using virtual machines as servers to improve device management and effectively utilize resources, ransomware gangs have created many custom Linux encryptors to encrypt VMWareESXi servers.

By targeting ESXi servers, attackers can encrypt many servers running as virtual machines in one run of the ransomware encryptor.

However, unlike other VMwareESXi encryptors, Akira's encryptor does not include many advanced features, such as automatically shutting down virtual machines before encrypting files using the esxcli command.

Having said that, binary files do support some command-line parameters, allowing attackers to customize attacks:

-P - encryption_ Path (target file/folder path)

-S - share_ File (destination network drive path)

-N - encryption_ Percentage (encryption percentage)

Akira Encrypted Files on Linux Server

-The n parameter is particularly noteworthy as it allows attackers to define how much data is encrypted on each file.

The lower this setting, the faster the encryption speed, but victims are more likely to recover their original files without paying a ransom.

When encrypting files, the LinuxAkira encryptor will target the following extensions:

. 4dd,. accdb,. accdc,. accde,. accdr,. accdt,. accft,. adb,. ade,. adf,. adp,. arc,. ora,. af,. ask,. btr,. bdf,. cat,. cdb,. ckp,. cma,. cpd,. dacpac,. dad,. diagrams,. daschema,. db shm,. db wa,. db3,. dbc,. dbf,. dbs,. dbt,. dbv,. dbx,. dcb. dct,. dcx,. dlis,. dp1,. dqy,. dsk,. dsn,. dtsx,. eco,. ecx,. edb,. epim,. exb,. fcd,. fdb,. fics,. fmp,. fmp12,. fmps,. fp3,. fp4,. fp5,. fp7,. fpt,. frm,. gdb,. grdb,. gwi,. hdb,. is,. idb,. ihx,. itdb,. itw,. net,. jtx, . kdb,. kexi,. kexi,. kexis,. lgc,. lwx,. maf,. maq,. mar,. mas,. mav,. mdb,. mdf,. mpd,. mrg,. mud,. mwb,. myd,. ndf,. nnt,. nrmlib,. ns2,. ns3,. ns4,. nsf,. nv2,. nwdb,. nyf,. odb,. oqy,. orx,. owc,. p96,. p97,. pan,. pdb,. pdm,. pdm,. nz,. qry,. qvd,. rbf,. rctd,. rod,. rodx,. rpd,. rsd,. sas7bdat,. sbf,. scx,. sdb,. sdc,. sdf,. sis,. spq,. sqlite,. sqlite3,. sqlitedb,. temx,. tmd,. tps,. trc,. trm,. udb,. usr,. v12,. vis,. vpd,. vvv,. wdb,. wmdb,. wrk,. xdb. xld, . xmlff,. abcddb,. abs,. abx,. accdw,. adn,. db2,. fm5,. hjt,. icg,. icr,. lut,. aw,. mdn,. mdt,. vdi,. vhd,. vmdk,. pvm,. vmem,. vmsn,. vmsd,. nvram,. vmx,. raw,. qcow2,. subvo,. bin,. vsv,. avhd,. vmrs,. vhdx,. avdx,. vmcx,. iso -

Strangely, the Linux lock seems to have skipped the following folders and files, which are all related to Windows folders and executable files, indicating that Akira's Linux variant was ported from the Windows version.

Winnt, temp, thumb, $Recycle. Bin, $RECYCLE. BIN, SystemVolumeInformation, Boot, Windows, TrendMicro,. exe,. dll,. lnk,. sys,. msi

Cyber analysts have also released a report on the Akira Linux version, explaining that the encryptor includes a public RSA encryption key and utilizes multiple symmetric key algorithms for file encryption, including AES, CAMELLIA, IDEA-CB, and DES.

The symmetric key is used to encrypt the victim's file, and then the RSA public key is used for encryption. This will prevent access to the decryption key unless you have an RSA private decryption key that is only held by the attacker.

RSA public key used by Akira (Cyber)

Encrypted file renamed to. akira extension and named akira_ The hard coded ransom notification for readme.txt will be created in each folder on the encrypted device.

Ransom notifications for Akira on Linux servers

Akira's recent announcement of the number of victims reflects the expansion of its target range, which will only exacerbate the threat faced by global organizations.

Unfortunately, in ransomware organizations, increasing Linux support is a growing trend, and many people use ready-made tools to achieve this because it is a simple and almost foolproof way to increase profits.

Other ransomware operations using Linux ransomware encryptors mainly target VMWareESXi, including Royal, BlackBasta, LockBit, BlackMatter, AvosLocker, REVil, HelloKitty, RansomEXX, and Hive.

The Sexun Simulation Attack Library now includes attack methods for Akira ransomware. You can search for the keyword "Akira" in the Sexun Security Measurement Verification Platform to obtain relevant attack simulation experiments. You can also search for other ransomware keywords such as "LockBit", "BlackMatter", etc. to verify whether your security defense system can effectively respond to various attack techniques used by these organizations.