Threat Research

Akira’s Play with Linux – K7 Labs

K7computing

Akira ransomware has a Linux variant that links to its Windows counterpart and the Conti ransomware lineage, and it operates a Tor site that publicly discloses pilfered data and supports victim communication via a ransom-note Unique ID. The malware encrypts a broad range of file types using multiple symmetric algorithms (AES, CAMELLIA, IDEA, DES, CHACHA20) and appends the .akira extension, while generating a fresh per-target RSA key and a Unique ID to map to the corresponding decryption key and obeys an exclusion list. #AkiraRansomware #ContiRansomware #LinuxVariant #WindowsVariant #TorSite #K7Labs

Keypoints

  • Akira ransomware has a Linux variant linked to Windows and Conti lineage, signaling cross-platform TTPs.
  • It uses a broad set of symmetric algorithms (AES, CAMELLIA, IDEA, DES, CHACHA20) for file encryption and appends the .akira extension.
  • Each victim is targeted with a unique per-target RSA key and a Unique ID embedded in the ransom note to identify the build and obtain the private key.
  • An exclusion list prevents specific directories/files from being encrypted, and the ransomware can spawn new processes during encryption.
  • A Tor-based site and built-in chat feature enable data leakage disclosure and direct victim-perp communication.

MITRE Techniques

  • [T1059] Command-Line Interface – The ransomware uses command line arguments to control encryption behavior, including the following. [‘ArgumentsDescription-pEncryption Path used to only encrypt files in the given path-sPath to file containing list of shares to include in the encryption -nEncryption percentage on how much content of the files needs to be encrypted-forkTo create new process or child process’]
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files and adds the .akira extension, effectively impacting data availability. [‘It then encrypts and adds the extension .akira for all the files.’]

Indicators of Compromise

  • [Hash] Hash values – 177ACD248FC715A8B5E443BE38D3B204, 302f76897e4e5c8c98a52a38c4c98443
  • [File extension] File extensions – .akira
  • [Domain] Domains – labs.k7computing.com

Read more: https://labs.k7computing.com/index.php/akiras-play-with-linux/