Saturday , January 18 2025

Akira ransomware targets VMware ESXi servers

The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.

Akira first emerged in March 2023, targeting Windows systems in various industries, including education, finance, real estate, manufacturing, and consulting.

AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Amazon Web Services (AWS) has recently fixed two major security vulnerabilities in its cloud services: Amazon WorkSpaces, Amazon AppStream 2.0,...
Read More
AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Malware Trends Review 2024: Ever Recorded Cyber Threats

Last year saw a significant rise in cyber threats, with malware becoming more advanced and attack strategies more sophisticated. A...
Read More
Malware Trends Review 2024: Ever Recorded Cyber Threats

Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

A recent Infoblox Threat Intel report reveals a sophisticated botnet that exploits DNS misconfigurations to spread malware widely. This botnet,...
Read More
Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

CVE-2024-9042
Code Execution Vulnerability Found in Kubernetes Windows Nodes

A new security flaw traced, CVE-2024-9042, poses a serious risk to Kubernetes clusters with Windows worker nodes. It has a...
Read More
CVE-2024-9042  Code Execution Vulnerability Found in Kubernetes Windows Nodes

Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

The hacking group "Belsen Group" has posted over 15,000 unique FortiGate firewall configurations online. The data dump, reportedly obtained by exploiting...
Read More
Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

Registration open for 1st Agile Cyber Drill 2025

Registration open for "1st Agile Cyber Drill-2025" scheduled for February 26, 2025 online with an awards ceremony for 9 March...
Read More
Registration open for 1st Agile Cyber Drill 2025

30 Days to Go for FutureCrime Summit 2025

The FutureCrime Summit 2025 is just 30 days away. This conference is the largest on technology-driven crime, covering topics like...
Read More
30 Days to Go for FutureCrime Summit 2025

Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

Microsoft's January Patch Tuesday update fixed 159 vulnerabilities, including 10 critical Remote Code Execution (RCE) issues. These updates are essential...
Read More
Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

CVE-2023-37936
Fortinet released update for a critical cryptographic key vuln

Fortinet released security patches for a critical vulnerability (CVE-2023-37936) involving a hard-coded cryptographic key. This flaw lets remote, unauthorized attackers...
Read More
CVE-2023-37936  Fortinet released update for a critical cryptographic key vuln

Millions of Accounts Vulnerable due to Google’s OAuth Flaw

A critical flaw in Google’s "Sign in with Google" system has put millions of Americans at risk of data theft....
Read More
Millions of Accounts Vulnerable due to Google’s OAuth Flaw
Like other enterprise-targeting ransomware gangs, the threat actors steal data from breached networks and encrypt files to conduct double extortion on victims, demanding payments that reach several million dollars.

Since launching, the ransomware operation has claimed over 30 victims in the United States alone, with two distinct activity spikes in ID Ransomware submissions at the end of May and the present.

Akira activity in the past months
Akira activity in the past months
Source: BleepingComputer

Akira targets VMware ESXi

The Linux version of Akira was first discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week.

BleepingComputer’s analysis of the Linux encryptor shows it has a project name of ‘Esxi_Build_Esxi6,’ indicating the threat actors designed it specifically to target VMware ESXi servers.

For example, one of the project’s source code files is /mnt/d/vcprojects/Esxi_Build_Esxi6/argh.h.

Over the past few years, ransomware gangs have increasingly created custom Linux encryptors to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for servers for improved device management and efficient use of resources.

By targeting ESXi servers, a threat actor can encrypt many servers running as virtual machines in a single run of the ransomware encryptor.

However, unlike other VMware ESXi encryptors analyzed by BleepingComputer, Akira’s encryptors do not contain many advanced features, such as the automatic shutting down of virtual machines before encrypting files using the esxcli command.

With that said, the binary does support a few command line arguments that allow an attacker to customize their attacks:

  • -p –encryption_path (targeted file/folder paths)
  • -s –share_file (targeted network drive path)
  • – n –encryption_percent (percentage of encryption)
  • –fork (create a child process for encryption)

The -n parameter is particularly notable as it allows attackers to define how much data is encrypted on each file.

The lower that setting, the speedier the encryption, but the more likely that victims will be able to recover their original files without paying a ransom.
Files encrypted by Akira on a Linux server, Source: BleepingComputer

When encrypting files, the Linux Akira encryptor will target the following extensions:

Strangely, the Linux locker appears to skip the following folders and files, all related to Windows folders and executables, indicating that the Linux variant of Akira was ported from the Windows version.

Cyble’s analysts, who also published a report about the Linux version of Akira today, explain that the encryptor includes a public RSA encryption key and leverages multiple symmetric key algorithms for the file encryption, including AES, CAMELLIA, IDEA-CB, and DES.

The symmetric key is used to encrypt the victims’ files and is then encrypted with the RSA public key. This prevents access to the decryption key unless you have the RSA private decryption key only held by the attackers.

Encrypted files with be renamed to have the .akira extension, and a hardcoded ransom note named akira_readme.txt will be created in each folder on the encrypted device.

Akira ransom note dropped on Linux servers Source: BleepingComputer

The expansion of Akira’s targeting scope is reflected in the number of victims announced by the group recently, which only makes the threat more severe for organizations worldwide.

Unfortunately, adding Linux support is a growing trend among ransomware groups, with many using readily-available tools to do it, as this is an easy and almost foolproof way to increase profits.

Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include RoyalBlack BastaLockBitBlackMatterAvosLockerREvilHelloKittyRansomEXX, and Hive.

Source: Bleepingcomputer

 

Check Also

LDAPNightmware

Fake LDAPNightmware exploit on GitHub spreads malware

A deceptive proof-of-concept exploit for CVE-2024-49113, known as “LDAPNightmare,” on GitHub spreads infostealer malware that …

Leave a Reply

Your email address will not be published. Required fields are marked *