Attention! The Linux version of Akira ransomware for VMware ESXi servers
AD |
Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting
Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.
Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting.
Like other ransomware gangs targeting businesses, these attackers steal data from compromised networks, encrypt files, perform double ransomment on victims, and demand ransom payments of up to millions of dollars.
Since its launch, more than 30 victims have been victimized in North America alone, with two clear activity peaks in ID ransomware submissions at the end of May and now.
Akira for VMware ESXi
The Linux version of Akira was first discovered by malware analyst Rivitna, who shared a sample of a new encryptor on VirusTotal last week.
Analysis shows that the project name of the encryptor is "Esxi_Build_Esxi6", indicating that the attacker specifically designed it for the VMware ESXi server.
For example, a source code file for a project is
/Mnt/d/vcprojects/Essi_ Build_ Esxi6/argh. h.
In the past few years, as businesses have shifted to using virtual machines as servers to improve device management and effectively utilize resources, ransomware gangs have created many custom Linux encryptors to encrypt VMWareESXi servers.
By targeting ESXi servers, attackers can encrypt many servers running as virtual machines in one run of the ransomware encryptor.
However, unlike other VMwareESXi encryptors, Akira's encryptor does not include many advanced features, such as automatically shutting down virtual machines before encrypting files using the esxcli command.
Having said that, binary files do support some command-line parameters, allowing attackers to customize attacks:
-P - encryption_ Path (target file/folder path)
-S - share_ File (destination network drive path)
-N - encryption_ Percentage (encryption percentage)
-The n parameter is particularly noteworthy as it allows attackers to define how much data is encrypted on each file.
The lower this setting, the faster the encryption speed, but victims are more likely to recover their original files without paying a ransom.
When encrypting files, the LinuxAkira encryptor will target the following extensions:
. 4dd,. accdb,. accdc,. accde,. accdr,. accdt,. accft,. adb,. ade,. adf,. adp,. arc,. ora,. af,. ask,. btr,. bdf,. cat,. cdb,. ckp,. cma,. cpd,. dacpac,. dad,. diagrams,. daschema,. db shm,. db wa,. db3,. dbc,. dbf,. dbs,. dbt,. dbv,. dbx,. dcb. dct,. dcx,. dlis,. dp1,. dqy,. dsk,. dsn,. dtsx,. eco,. ecx,. edb,. epim,. exb,. fcd,. fdb,. fics,. fmp,. fmp12,. fmps,. fp3,. fp4,. fp5,. fp7,. fpt,. frm,. gdb,. grdb,. gwi,. hdb,. is,. idb,. ihx,. itdb,. itw,. net,. jtx, . kdb,. kexi,. kexi,. kexis,. lgc,. lwx,. maf,. maq,. mar,. mas,. mav,. mdb,. mdf,. mpd,. mrg,. mud,. mwb,. myd,. ndf,. nnt,. nrmlib,. ns2,. ns3,. ns4,. nsf,. nv2,. nwdb,. nyf,. odb,. oqy,. orx,. owc,. p96,. p97,. pan,. pdb,. pdm,. pdm,. nz,. qry,. qvd,. rbf,. rctd,. rod,. rodx,. rpd,. rsd,. sas7bdat,. sbf,. scx,. sdb,. sdc,. sdf,. sis,. spq,. sqlite,. sqlite3,. sqlitedb,. temx,. tmd,. tps,. trc,. trm,. udb,. usr,. v12,. vis,. vpd,. vvv,. wdb,. wmdb,. wrk,. xdb. xld, . xmlff,. abcddb,. abs,. abx,. accdw,. adn,. db2,. fm5,. hjt,. icg,. icr,. lut,. aw,. mdn,. mdt,. vdi,. vhd,. vmdk,. pvm,. vmem,. vmsn,. vmsd,. nvram,. vmx,. raw,. qcow2,. subvo,. bin,. vsv,. avhd,. vmrs,. vhdx,. avdx,. vmcx,. iso -
Strangely, the Linux lock seems to have skipped the following folders and files, which are all related to Windows folders and executable files, indicating that Akira's Linux variant was ported from the Windows version.
Winnt, temp, thumb, $Recycle. Bin, $RECYCLE. BIN, SystemVolumeInformation, Boot, Windows, TrendMicro,. exe,. dll,. lnk,. sys,. msi
Cyber analysts have also released a report on the Akira Linux version, explaining that the encryptor includes a public RSA encryption key and utilizes multiple symmetric key algorithms for file encryption, including AES, CAMELLIA, IDEA-CB, and DES.
The symmetric key is used to encrypt the victim's file, and then the RSA public key is used for encryption. This will prevent access to the decryption key unless you have an RSA private decryption key that is only held by the attacker.
Encrypted file renamed to. akira extension and named akira_ The hard coded ransom notification for readme.txt will be created in each folder on the encrypted device.
Akira's recent announcement of the number of victims reflects the expansion of its target range, which will only exacerbate the threat faced by global organizations.
Unfortunately, in ransomware organizations, increasing Linux support is a growing trend, and many people use ready-made tools to achieve this because it is a simple and almost foolproof way to increase profits.
Other ransomware operations using Linux ransomware encryptors mainly target VMWareESXi, including Royal, BlackBasta, LockBit, BlackMatter, AvosLocker, REVil, HelloKitty, RansomEXX, and Hive.
The Sexun Simulation Attack Library now includes attack methods for Akira ransomware. You can search for the keyword "Akira" in the Sexun Security Measurement Verification Platform to obtain relevant attack simulation experiments. You can also search for other ransomware keywords such as "LockBit", "BlackMatter", etc. to verify whether your security defense system can effectively respond to various attack techniques used by these organizations.
Recommended Reading
New dimension of email fraud! Utilizing partnerships to bypass multifactor authentication
Clop ransomware gang or related to MOVEit data theft attacks
Official account: Saixun verification
Disclaimer: The content of this article is sourced from the internet. The copyright of the text, images, and other materials belongs to the original author. The platform reprints the materials for the purpose of conveying more information. The content of the article is for reference and learning only, and should not be used for commercial purposes. If it infringes on your legitimate rights and interests, please contact us promptly and we will handle it as soon as possible! We respect copyright and are committed to protecting it. Thank you for sharing.(Email:[email protected])
Mobile advertising space rental |
Tag: Attention The Linux version of Akira ransomware for VMware
Seven Flagship Mobile Phone Endurance Horizontal Review: iPhone Still Strong, Glory Almost Exceeds
NextIOS WeChat has released the official version 8.0.39, with adjustments made to these features
Guess you like
-
2024 Spring Festival Travel Rush New Train Schedule: 321 Additional Trains Nationwide Starting January 5th, Further Enhancing Service Quality and EfficiencyDetail
2024-12-23 12:05:44 1
-
Changan Automobile and EHang Intelligent Sign Strategic Cooperation Agreement to Build Future Flying Car EcosystemDetail
2024-12-22 15:08:38 1
-
Liaoning Province and Baidu Sign Strategic Cooperation Framework Agreement to Jointly Promote AI Industry DevelopmentDetail
2024-12-20 19:36:38 1
-
Wanxun Technology Secures Nearly RMB 200 Million in Funding to Lead Global Soft Robotics Innovation, Set to Showcase Breakthroughs at CES 2025Detail
2024-12-20 15:54:19 1
-
Huolala's 2025 Spring Festival Freight Festival: Supporting Spring Festival Travel, Offering New Year Benefits to Users and DriversDetail
2024-12-20 13:38:20 1
-
The Third Meeting of the Third Council of the International New Energy Solutions Platform (INES): Charting a Blueprint for a "Dual Carbon" FutureDetail
2024-12-19 17:03:07 1
-
WeChat's Official Account Launches "Author Read Aloud Voice" Feature for Personalized Article ListeningDetail
2024-12-18 17:19:57 1
-
The 12th China University Students' Polymer Materials Innovation and Entrepreneurship Competition Finals Grand Opening in Guangrao CountyDetail
2024-12-18 16:04:28 1
-
Tracing the Ancient Shu Road, Winds of the Three Kingdoms: Global Influencer Shu Road Journey LaunchesDetail
2024-12-18 15:23:35 1
-
Seres: A Pioneer in ESG Practices, Driving Sustainable Development of China's New Energy Vehicle IndustryDetail
2024-12-17 16:20:26 1
- Detail
-
My Health, My Guard: Huawei WATCH D2 Aids Precise Blood Pressure Management in the Winter Health BattleDetail
2024-12-17 09:36:15 1
-
Investigation into the Chaos of Airline Seat Selection: Paid Seat Selection, Seat Locking Mechanisms, and Consumer Rights ProtectionDetail
2024-12-15 16:45:48 1
-
Japanese Scientists Grow Human Organs in Pigs: A Balancing Act of Breakthrough and EthicsDetail
2024-12-14 19:48:50 1
-
Pang Donglai and Sam's Club: Two Paths to Transformation in China's Retail IndustryDetail
2024-12-14 17:57:03 1
-
In-Depth Analysis of China's Precision Reducer Industry: Technological Innovation and Market CompetitionDetail
2024-12-14 16:04:26 1
-
Alibaba's "TAO" App Launches in Japan, Targeting High-Quality Service and Convenient LogisticsDetail
2024-12-13 13:22:23 1
-
In-depth Analysis of China's Cross-border E-commerce Industry Chain: Opportunities and Challenges CoexistDetail
2024-12-13 11:37:17 1
-
Sweet Potato Robotics: How a Unified Software and Hardware Computing Platform Accelerates Robotics Industry DevelopmentDetail
2024-12-13 06:36:34 1
- Detail