A new ransomware strain known as Akira has broadened its scope to target Linux-based platforms. This malicious software appends the “.akira” file extension to each compromised file, marking its territory. Akira ransomware has been active since April 2023, and it has been relentlessly targeting various organizations, jeopardizing their sensitive data.
The Akira ransomware has cast a wide net, targeting a diverse range of industries, including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, among others. According to a report by Cyble, the group has already compromised 46 publicly disclosed victims, with the majority based in the United States.
The execution of the Akira ransomware attack is carried out through a malicious 64-bit Linux executable Linkable Format (ELF) file. To run the Akira executable, specific parameters need to be provided, including the path of files/folder to be encrypted, the path of the shared network drive to be encrypted, the percentage of the files to be encrypted, and a command for creating a child process for encryption.
Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system. It then loads a list of predetermined file extensions it intends to target and encrypt. The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. When it encounters a file with a listed extension, the ransomware proceeds to encrypt the file and leaves a ransomware note on the infected machine. This note provides instructions on how to contact the group to negotiate a ransom and decrypt the data.
Initially focused on Windows systems, Akira Ransomware has now expanded its target range to include Linux platforms. During attacks, Akira uses a combination of AES and RSA encryption to render the victim’s files inaccessible. In addition to encrypting the victim’s files, Akira also removes the Shadow Volume copies of the files to prevent users from recovering their files using alternative methods.
The rise of ransomware and the shift in tactics reflect a growing trend among ransomware groups. The indicators of compromise include MD5, SHA1, and SHA256.
