Researchers at Cyble Research and Intelligence Labs have discovered a sophisticated Linux variant of the Akira ransomware.
In a recent report, Cyble Research and Intelligence Laboratory (CRIL) detailed a sophisticated Linux variant of the Akira ransomware, drawing attention to the growing vulnerability of Linux environments to cyber threats.
Akira ransomware has been actively targeting numerous organizations across industries, posing a serious threat to their cybersecurity and sensitive data.
A Linux variant of the Akira ransomware
Since its emergence in April 2023, the Akira ransomware has compromised 46 publicly disclosed victims.
Notably, 30 more victims have been identified since CRIL's last report on Akira ransomware, indicating the group's growing influence. Most of these victims are in the United States.
Affected organizations span various industries, including education, banking, financial services and insurance (BFSI), manufacturing and services, among others.
The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file.
To execute the Akira executable, specific parameters must be provided. For example, paths to files/folders that need to be encrypted, paths to encrypted shared network drives, percentage of files encrypted, and creating a child process for encryption.
Linux variant of Akira ransomware: technical details
To run the Linux variant of the Akira ransomware, specific instructions, called parameters, need to be given.
These parameters include things like the location of the file or folder to encrypt, encrypted shared network drives, the percentage of files encrypted, and creating a subprocess for encryption.
When the ransomware is executed, it uses a special type of encryption called RSA to lock files on the computer. This encryption makes the file unopenable without the decryption key.
The ransomware has a manifest of specific file types that it aims to encrypt. These file types include various extensions like documents, databases, images, etc. If a file matches any of these extensions, the ransomware will encrypt it.
The Linux variant of the Akira ransomware uses different symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES, to perform the encryption process. These algorithms help to scramble the data in the file, making it inaccessible.
Upon execution, the Akira ransomware loads a predetermined RSA public key to initiate the encryption process. At the same time, each attacked file is appended with the ".akira" file extension and a ransom note is deposited on the victim's system.
A Linux variant of the Akira ransomware reveals that systems on the Linux platform are increasingly vulnerable to cyber threats.
Therefore, organizations using Linux environments must remain vigilant and implement strong security measures to prevent ransomware attacks.