A recent report by Cyble Research and Intelligence Labs (CRIL) has uncovered a new Linux variant of the Akira ransomware, signaling a change in tactics for the notorious ransomware group. The discovery raises concerns about the increasing vulnerability of Linux environments to cyber threats.
The Akira ransomware group has been a significant threat to cybersecurity and sensitive data, actively targeting numerous organizations across various sectors. Since its emergence in April 2023, Akira ransomware has compromised a total of 46 publicly disclosed victims. However, CRIL’s recent report indicates that an additional 30 victims have been identified, suggesting that the group’s reach is expanding rapidly. The majority of the victims are based in the United States, and they represent a broad range of industries, including education, banking, financial services, insurance, manufacturing, and professional services.
The Linux variant of Akira ransomware is executed through a 64-bit Linux Executable and Linkable Format (ELF) file. To initiate the ransomware, specific parameters must be provided, such as the path of files or folders to be encrypted, the path of the shared network drive to be encrypted, the percentage of files to be encrypted, and the creation of a child process for encryption.
When the Linux variant of Akira ransomware is executed, it utilizes a special type of encryption called RSA to lock the files on the compromised system. This encryption renders the files unreadable without the decryption key. The ransomware specifically targets certain file types, including documents, databases, and images, encrypting them to make them inaccessible. The encryption process uses various symmetric key algorithms, such as AES, CAMELLIA, IDEA-CB, and DES, to scramble the data in the files.
Once the files are encrypted, the Linux variant of Akira ransomware adds the “.akira” file extension to each compromised file. This change in file extension helps identify the files that have been encrypted. Additionally, the ransomware deposits a ransom note on the victim’s system, outlining the attackers’ demands and instructions for payment.
The emergence of the Linux variant of Akira ransomware underscores the vulnerability of Linux systems to cyber threats. Organizations utilizing Linux environments must be vigilant and implement robust security measures to protect against ransomware attacks. CRIL recommends several best practices to safeguard against the Linux variant of Akira ransomware.
Firstly, conducting regular backups of important data is crucial. It is essential to ensure that these backups are stored offline or in a separate network. This precautionary measure enables users to restore their data without paying the ransom in the event of an attack.
Secondly, enabling the automatic software update feature on all connected devices, including computers, mobile devices, and IoT devices, is essential. Regular software updates often include critical security patches that address vulnerabilities exploited by ransomware and other malware.
Installing and regularly updating a reputable antivirus and internet security software package on all connected devices is another vital step in protecting against ransomware threats. These software solutions can detect and mitigate ransomware attacks, providing an additional layer of protection.
Finally, exercising caution with links and email attachments can help prevent ransomware infections. Users should avoid clicking on untrusted links or opening email attachments from unknown or suspicious sources. Verifying the authenticity of these links and attachments before interacting with them is crucial, as they can serve as gateways for ransomware attacks.
As the Linux variant of Akira ransomware makes its mark, organizations must remain vigilant and take proactive steps to strengthen their security measures. By implementing these cybersecurity best practices, they can mitigate the risk of falling victim to ransomware attacks and protect their critical data.