Threat Research

Akira Ransomware Extends Reach To Linux Platform – Cyble

Securonix

Akira ransomware has extended its reach to Linux with a new 64-bit ELF variant, targeting multiple sectors. It encrypts targeted files using a hardcoded RSA public key, appends a .akira extension, and leaves a hardcoded ransom note on infected systems. #AkiraRansomware #Cyble #CRIL #LinuxPlatform #ELF #RSA #AES

Keypoints

  • Akira, previously Windows-focused, now includes a Linux ELF variant, signaling expanded platform reach.
  • Victims span Education, BFSI, Manufacturing, Professional Services, and other sectors across multiple countries, with US be heavily represented.
  • The Linux variant relies on a command-line parameter set to drive encryption (e.g., -p, -s, -n, -fork).
  • The ransomware loads a hardcoded RSA public key to perform file encryption and supports multiple symmetric algorithms (AES, CAMELLIA, DES, IDEA-CB).
  • A predefined list of targeted file extensions (including VM disk formats and common document types) dictates which files are encrypted.
  • After encryption, the malware appends the .akira extension and drops a hardcoded ransom note on the system.
  • The attackers’ activity is tracked by Cyble Research and Intelligence Labs (CRIL), noting ongoing victim counts and geographic distribution.

MITRE Techniques

  • [T1059] Command-Line Interface – The ransomware requires specific command-line parameters to run, e.g., “The required parameters for running the Akira executable are as follows: -p / –encryption_path, -s / –share_file, -n / –encryption_percent, -fork”.
  • [T1083] File and Directory Discovery – The ransomware loads a list of predetermined file extensions that it intends to target and encrypt, indicating selective file targeting.
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files using multiple symmetric algorithms and appends a new extension (“.akira”); it also loads a hardcoded RSA public key to encrypt files, e.g., “The ransomware loads a pre-determined RSA public key to encrypt files in the system.”
  • [T1490] Inhibit System Recovery – The operation includes encrypting data to disrupt normal system availability and presenting a ransom note as part of the impact.

Indicators of Compromise

  • [MD5] Akira Ransomware ELF – 302f76897e4e5c8c98a52a38c4c98443
  • [SHA1] Akira Ransomware ELF – 9180ea8ba0cdfe0a769089977ed8396a68761b40
  • [SHA256] Akira Ransomware ELF – 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Read more: https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint