Akira Ransomware Adapts to Target Linux and VMware ESXi Servers

Akira, a Ransomware-as-a-Service (RaaS) group, has quickly become one of the most active ransomware operators in recent years. Emerging in March 2023, Akira has since executed over 300 attacks in 2024 alone, generating over $42 million in ransom payments, according to a recent report by Bitdefender. This group continues to evolve its tactics, leveraging sophisticated techniques to target organizations across the globe.

Akira has demonstrated a broad scope of operations, attacking organizations in manufacturing, engineering, financial services, agriculture, and education. Western countries remain the primary focus, with the United States, Canada, the United Kingdom, and Germany being the hardest hit.

Interestingly, Akira’s malicious code includes safeguards to avoid execution on systems with a Russian language keyboard layout, pointing to a possible Russian origin. The report highlights, “Correspondence with Akira members was found on Russian forums in 2022,” further supporting this attribution.

Akira has shown remarkable adaptability by developing distinct ransomware payloads for various operating systems. Initially, its focus was on Windows systems, deploying C++-based encryptors that appended .akira to affected files. However, by mid-2023, the group expanded its reach:

• Linux and VMware ESXi Payloads: Akira introduced a Linux-based ransomware variant targeting VMware ESXi servers. This payload was highly effective in disrupting virtualized environments.
• Megazord Variant: In August 2023, Akira released a Windows payload written in Rust, appending .powerranges to encrypted files. This programming shift not only enhanced its evasion capabilities but also made reverse engineering significantly more challenging.
• Akira v2: Later iterations, such as Akira v2, reintroduced Rust-based payloads with tailored encryption methods, targeting file types critical to enterprise environments, including Exchange server databases (.edb) and virtual hard disks (.vdh). The report emphasizes, “The customization capability to find other files makes the ransomware lethal.”

Akira’s campaigns are mapped to advanced tactics from the MITRE ATT&CK Framework, showcasing its technical sophistication:

• Initial Access: Exploiting vulnerabilities like CVE-2024-37085 (impacting ESXi servers) and CVE-2024-40711 (affecting Veeam backup services), Akira has also leveraged compromised credentials acquired via Initial Access Brokers.
• Execution and Persistence: The ransomware uses custom-built executables like w.exe and win.exe to encrypt files. Persistence is ensured by modifying registry keys or creating new domain accounts.
• Lateral Movement: Tools such as Veeam-Get-Creds and Adfind are used to extract credentials and navigate Active Directory environments.
• Data Exfiltration: Before encrypting data, Akira employs tools like Rclone and WinSCP to exfiltrate sensitive information, which is later published on its data leak site as part of a double extortion strategy.

Akira’s data leak site operates with a command-line interface, allowing victims and the public to interact with leaked content. Stolen data is organized into torrents, with passwords provided for protected files. Victims are encouraged to contact Akira for decryption services or to negotiate ransom payments.

In a ransomware note, Akira reveals its calculated approach, stating: “We will study in depth your finance, bank & income statements, your savings, investments etc. And present our reasonable amount to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.”

Bitdefender warns, “We expect this growth pattern to continue into 2025.”

Related Posts:

• Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
• Akira Ransomware: The New Threat Targeting Windows & Linux
• Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS
• Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
• ZLAB Announces Ransomware-as-a-Service platforms Report