Rewterz Threat Alert – Akira Ransomware Strikes VMware ESXi Servers With Linux Variant – Active IOCs

Severity

High

Analysis Summary

In double-extortion attacks targeting companies worldwide, the Akira ransomware operation employs a Linux encryptor to encrypt VMware ESXi virtual machines. Initially targeting Windows systems in various industries, Akira has now shifted its focus to Linux-based servers. The ransomware gang follows the common approach of stealing data from breached networks and encrypting files to conduct double extortion, demanding large ransom payments

Akira has gained traction since its emergence in March 2023 and has already claimed over 30 victims in the United States alone. The ransomware has targeted organizations in sectors such as education, finance, real estate, manufacturing, and consulting. Recent spikes in ID Ransomware submissions indicate increased activity by the Akira ransomware group.

The Linux encryptor used by Akira is specifically designed to target VMware ESXi servers, which have become more prevalent in enterprise environments due to their efficient resource utilization and device management capabilities. By targeting ESXi servers, the ransomware can potentially encrypt multiple servers running as virtual machines in a single attack.

While Akira’s Linux encryptor lacks advanced features found in other VMware ESXi encryptors, it still provides some customization options for attackers. Command line arguments allow them to define the percentage of encryption, target specific file or folder paths, target network drives, and create child processes for encryption. Notably, the encryption percentage parameter affects the speed of encryption and the likelihood of file recovery without paying the ransom.

The ransomware encrypts files with various extensions, including those commonly associated with databases. Interestingly, the Linux encryptor skips specific Windows folders and executables, suggesting that the Linux variant of Akira may have been ported from the Windows version.

According to the researchers, the Linux encryptor employs multiple symmetric key algorithms, such as AES, CAMELLIA, IDEA-CB, and DES, to encrypt victims’ files. The symmetric key is then encrypted with a public RSA encryption key, preventing decryption without the corresponding private key held by the attackers. Encrypted files are renamed with the .akira extension, and a ransom note named akira_readme.txt is created in each encrypted folder.

Image source:

The expansion of Akira’s targeting scope, coupled with the adoption of Linux support, signifies an alarming trend among ransomware groups. Many threat actors are increasingly incorporating Linux encryptors, particularly those targeting VMware ESXi servers, as it allows them to maximize their profits. Several other ransomware operations, such as Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive, have also employed Linux ransomware encryptors to target VMware ESXi servers.

The addition of Linux capabilities to ransomware operations underscores the need for organizations to bolster their cybersecurity defenses, including robust backup strategies, comprehensive threat detection and prevention systems, and user education to mitigate the risk of falling victim to such attacks.

Impact

• Sensitive Information Theft
• File Encryption
• Reputational Damage
• Financial loss
• Operation Disruption

Indicators of Compromise

MD5

• 302f76897e4e5c8c98a52a38c4c98443

SHA-256

• 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

SHA-1

• 9180ea8ba0cdfe0a769089977ed8396a68761b40

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
• Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real-time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• If a device on the network has been infected with ransomware, immediately disconnect it from the network to prevent the malware from spreading to other devices. This will help contain the attack and limit further damage.
• Disconnect external storage devices if connected.
• Implement the principle of least privilege by granting employees the minimum access rights required to perform their tasks. Regularly review and update user access privileges to prevent unauthorized access and limit the impact of ransomware.