The Akira ransomware group, a prominent player in the Ransomware-as-a-Service (RaaS)<\/a> domain since March 2023, has intensified its operations with a new Linux variant targeting VMware ESXi servers.<\/p>\n Initially focused on Windows systems, Akira expanded its scope in April 2023 by deploying a Linux-based encryptor specifically designed for VMware ESXi servers.\u00a0<\/p>\n This pivot reflects a broader trend among ransomware groups targeting virtualized environments due to their centralized role in managing enterprise infrastructure.\u00a0<\/p>\n By compromising an ESXi hypervisor, attackers can simultaneously encrypt multiple virtual machines (VMs), amplifying the attack\u2019s impact.<\/p>\n The new Linux variant, part of Akira\u2019s evolving arsenal, represents a strategic shift in their operations. Initially targeting Windows systems with a C++-based encryptor, Akira has now expanded its reach to Linux and VMware ESXi<\/a> environments.\u00a0This multi-platform approach demonstrates the group\u2019s adaptability and technical sophistication.<\/p>\n Are you from SOC\/DFIR Teams? \u2013\u00a0Analyse Malware Files & Links with ANY.RUN Sandox ->\u00a0Try for Free<\/a><\/strong><\/p>\n Notably, the ransomware appends the .akira extension to encrypted files and supports partial encryption to evade detection while maintaining operational speed.<\/p>\n The Linux version, dubbed Akira v2, is written in Rust, a programming language known for its performance and security features.\u00a0<\/p>\n This choice makes the ransomware more challenging to analyze and detect. Akira v2 also appends the \u201c.akiranew\u201d extension to encrypted files and employs a tailored encryption process that targets specific file types.<\/p>\n Of particular concern is Akira v2\u2019s ability to encrypt critical system files, including those with extensions like .edb (Exchange database) and .vhd (virtual hard disk).\u00a0<\/p>\n This capability can have devastating consequences for organizations, potentially crippling email services, and virtualized environments<\/p>\n Additionally, Akira\u2019s ransomware employs a sophisticated hybrid encryption scheme, combining ChaCha20 stream cipher with RSA public-key cryptosystem. This approach allows for efficient encryption of large datasets while maintaining secure key exchange.<\/p>\n The Akira ransomware targeting ESXi servers is built with specific functionalities to exploit vulnerabilities in VMware environments. For instance,<\/p>\n Bitdefender reports that Akira\u2019s victims span various sectors, including manufacturing, education, finance, and critical infrastructure. The United States remains the most affected country, followed by Canada, the United Kingdom, and Germany.\u00a0<\/p>\n Since its inception, the group has claimed over 350 victims globally and extorted approximately $42 million USD as of April 2024.<\/p>\n The ransomware employs a double-extortion strategy: it exfiltrates sensitive data before encrypting files. Victims are pressured to pay high ransoms under the threat of public data leaks on Akira\u2019s Tor-hosted leak site.\u00a0<\/p>\n According to the Bitdefender report<\/a>, The site features a command-line interface where users can access stolen data through commands like leaks and download it via torrent links.<\/p>\n Organizations can mitigate the risk of Akira ransomware attacks by adopting robust cybersecurity practices:<\/p>\n The emergence of Akira\u2019s Linux variant underscores the growing sophistication of ransomware groups targeting virtualized environments like VMware ESXi servers.\u00a0<\/p>\n With its ability to exploit vulnerabilities and customize attacks, Akira poses a significant threat to organizations worldwide.\u00a0<\/p>\n Integrating Application Security into Your CI\/CD Workflows Using Jenkins & Jira ->\u00a0Free Webinar<\/a><\/strong><\/strong><\/p>\n The post Akira\u2019s New Linux Ransomware Attacking VMware ESXi Servers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAkira\u2019s New Linux Ransomware<\/strong><\/h2>\n
\n
\n
\n
Victimology and Impact<\/strong><\/h2>\n
Defensive Measures<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXe7ocLhV9iQpmR5P8sTAGSnvMmMv_7ObxffRk7bYnfQ0kYkxQrZlS2Buovw57Ust0SdjT7wNYrzTeA_70FIzia1YYTNiunsPYTkZtWCJtLRaV2zEpmOAaUWIJlxkvsteTwfKQ6dew?key=M_rJ_S6MrnqlnrP1eZIn1P81\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcg0jIXtldTq63n6hJYChNe1yaB0KI-DGu3cB8afkO8ydcHU9d8VOTqcILh4TQPfoZgegxOwd_hGg0WNkUH3fc3rQ9zmiPElMMmaDCTyCy3v2q0PrzjJkpPHzh1uyGO8c2r7RDObA?key=M_rJ_S6MrnqlnrP1eZIn1P81\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfe3B60lyBU_0-DiyVScs2SvxCA2hTuQOA7Psne0oFZBmvqptt7OtbC0Zm2NGlXagxV5GvgGs4_vJoUGnem9v4B_KnKeaNsEkU8MF7Zd--ZnKehipK0LsIZrffMnoG37oeUmpSI_Q?key=M_rJ_S6MrnqlnrP1eZIn1P81\")