The fledgling Akira ransomware group has recently expanded its target base by adding capabilities to exploit Linux systems, according to researchers. The group, which gained notoriety in April of this year, primarily focused on attacking Windows systems. However, it has now developed a new version of its ransomware that can exploit systems running the open-source Linux operating system.
Cybersecurity researchers from Cyble Research and Intelligence Labs (CRIL) discovered Akira’s shift towards Linux. In a blog post published on June 29, they highlighted the increasing vulnerability of Linux systems to cyber threats, as demonstrated by the attention of a previously Windows-centric ransomware group.
This move by Akira reflects a growing trend among ransomware groups, including more established ones such as Cl0p, Royal, and IceFire. These groups have also expanded their target base to include Linux systems due to the growing popularity of Linux in enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which often support Internet of Things (IoT) devices and mission-critical applications.
The researchers further revealed that Akira has been rapidly expanding its operations and has already compromised 46 publicly disclosed victims in just a few months. The majority of these victims are located in the United States. While victims come from various industries, the education sector appears to be the most affected, followed by manufacturing, professional services, BFSI (Banking, Financial Services, and Insurance), and construction. Other victims are spread across sectors including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and others.
Akira’s primary focus is on compromising and stealing data from its victims, using double-extortion tactics. They threaten to leak the victims’ data on the Dark Web if the requested ransom is not paid.
The new Linux ransomware file used by Akira infects systems through a console-based 64-bit executable written in Microsoft Visual C/C++ compiler. After execution, it retrieves a list of logical drives using the API function “GetLogicalDriveStrings().” The malware then drops a ransom note in multiple folders and proceeds to search for files and directories to encrypt using the API functions “FindFirstFileW()” and “FindNextFileW().”
To encrypt the victim’s machine, the ransomware employs the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries along with specific functions from CryptoAPI. Encrypted files are renamed with the “.akira” extension. Additionally, the ransomware includes a feature that prevents system restoration by executing a PowerShell command to delete the shadow copy.
The dropped ransom note provides instructions for victims to contact Akira and negotiate ransom payment terms. To pressure victims, the group threatens to leak their data on its ransomware site, which displays a list of non-paying victims and associated data leaks.
Researchers have provided several recommendations to prevent and mitigate ransomware attacks. These include regular backup practices conducted offline or on a separate network, enabling automatic software updates, using reliable antivirus and Internet security software, and refraining from opening untrusted links and email attachments without verification.
In the event of a ransomware attack, organizations should immediately detach infected devices, disconnect any connected external storage devices, and inspect system logs for suspicious events to minimize network damage.
The expansion of Akira’s target base to include Linux systems highlights the growing vulnerability of these systems to ransomware attacks. It also indicates a broader trend among ransomware groups to exploit the popularity of Linux in enterprise environments. As the cybersecurity landscape evolves, organizations must remain vigilant and employ proactive measures to protect their systems from ever-evolving cyber threats.