The double extortion attacks have seen some organizations receive demands to pay millions in return for their data, according to Bleeping Computer.
Akira’s threat actors engage in data theft from breached networks and encrypt files, thereby leveraging double extortion to demand hefty ransom payments that often soar into the millions of dollars.
Malware analyst rivitna brought attention to the recent advancement in the evolution of Akira when they uncovered a Linux variant of the ransomware encryptor.Sharing a sample of this new encryptor on VirusTotal, rivitna drew attention to its project name, ‘Esxi_Build_Esxi6,’ which strongly suggests that the threat actors designed it with VMware ESXi servers as the primary target.
The cyber-security experts at BleepingComputer conducted an in-depth analysis of the Linux encryptor, unearthing its distinct project files, including “/mnt/d/vcprojects/Esxi_Build_Esxi6/argh.h.”
In contrast to other VMware ESXi encryptors examined by BleepingComputer, Akira’s encryptors are notably deficient in certain advanced functionalities. One such feature absent from Akira’s encryptors is the automatic shutdown of virtual machines using the esxcli command prior to initiating the file encryption procedure.
The Linux version of Akira ransomware utilizes a distinct set of file extensions to encrypt data on compromised devices. Interestingly, it selectively avoids certain folders and files typically found in Windows systems, indicating that the Linux variant may have been adapted from the original Windows version.
The expanding scope of Akira’s targets underscores the escalating threat faced by organizations worldwide. Unfortunately, the trend of ransomware groups expanding their operations to include Linux platforms is on the rise, with many leveraging readily available tools to do so.
The unfortunate reality is that an escalating number of ransomware groups are expanding their capabilities to target Linux systems.