blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
Submission: On July 06 via manual from IN — Scanned from DE
Submission: On July 06 via manual from IN — Scanned from DE
Form analysis
3 forms found in the DOMGET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Search for your darkweb exposure Main Menu * Home * About Us * Products * Cyble Vision * AmiBreached * Cyble Hawk * Odin (Internet Scanning) * The Cyber Express * Newsroom * Research Reports * Careers * Partner with us * Request Demo AKIRA RANSOMWARE EXTENDS REACH TO LINUX PLATFORM * June 28, 2023 THREAT ACTORS TARGET MULTIPLE SECTORS IN WIDE-RANGING ATTACKS Ransomware poses a significant risk to cybersecurity and remains a highly successful form of cybercrime that presents serious challenges for organizations. It has emerged as a lucrative enterprise for cybercriminals, leading to profound implications, including financial and data losses, as well as detrimental effects on the reputation of the organizations targeted. Cyble Research and Intelligence Labs (CRIL) have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform. CRIL came across a sophisticated Linux variant of the Akira ransomware. Since its emergence in April 2023, Akira ransomware has already compromised 46 publicly disclosed victims, with an additional 30 victims identified since our previous blog post. The majority of these victims are located in the United States. Here is a breakdown of the countries where the victims have been identified. Figure 1 – Geographical Distribution of Victims The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more. The figure below shows industries targeted by the Akira ransomware. Figure 2 – Industries Targeted by Akira Ransomware TECHNICAL DETAILS Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Unlock This Content The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file with SHA256 as 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296. Figure 3 – File Details of the Akira Ransomware Linux Executable In order to execute the Akira executable, specific parameters need to be provided. The required parameters for running the Akira executable are as follows: * “-p” / “–encryption_path” – Path of files/folder to be encrypted. * “-s” / “–share_file” – Path of the shared network drive to be encrypted * “-n” / “–encryption_percent” – Percentage of the files to be encrypted. * “-fork” – Creating a child process for encryption. Figure 4 – Ransomware Command Line Parameters Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system. The figure below presents the hardcoded public key utilized by the Akira ransomware. Figure 5 – Akira Ransomware Hardcoded RSA Public Key Following the initialization of the public key, the Akira ransomware loads a list of predetermined file extensions that it intends to target and encrypt. The figure below illustrates the file extensions that are specifically targeted by the Akira ransomware. Figure 6 – File Extensions Targeted by the Akira Ransomware The table provided below encompasses a comprehensive list of the file extensions targeted by Akira ransomware. vdivhdvmdkpvmvmemvmsnvmsdnvramvmxrawqcow2subvobinvsvavhdvmrsvhdxavdxvmcxisomarodbscxwdb4ddcmadqyfrmmasoqysdbwmdbaccdbcpddskgdbmavorxsdcwrkaccdcdacpacdsngrdbmdbowcsdfxdbaccdedaddtsxgwimdfp96sisxldaccdrdadiagramsecohdbmpdp97spqxmlffaccdtdaschemaecxhismrgpansqliteabcddbaccftdb-shmedbidbmudpdbsqlite3absadbdb-waepimihxmwbpdmsqlitedbabxadedb3exbitdbmydpnztemxaccdwadfdbcfcditwndfqrytmdadnadpdbffdbjetnntqvdtpsdb2arcdbsficjtxnrmlibrbftrcfm5oradbtfmpkdbns2rctdtrmhjtalfdbvfmp12kexins3rodudbicgaskdbxfmpskexicns4rodxusricrbtrdcbfp3kexisnsfrpdv12kdbbdfdctfp4lgcnv2rsdvislutcatdcxfp5lwxnwdbsas7bdatvpdmawcdbdlisfp7mafnyfsbfvvvmdnckpdp1fptmaqmdt The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. When encountering a file with an extension listed in the previously mentioned extensions, the ransomware proceeds to encrypt the file. The image below illustrates the routine specifically implemented for AES encryption within the ransomware. Figure 7 – Akira Ransomware Routine Related to AES Encryption Next, to successfully encrypt the files, the ransomware adds the “.akira” file extension to each compromised file and deposits a pre-defined ransom note onto the victim’s system. The figure below displays the exact contents of the ransom note, which have been hardcoded into the ransomware. Figure 8 – Ransom note Hardcoded into The Akira Ransomware Executable CONCLUSION Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms. This shift in tactics reflects a growing trend among ransomware groups, indicating an upcoming surge in attacks targeting Linux environments. The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats. CRIL maintains vigilant monitoring of emerging ransomware campaigns to ensure our readers are well-informed, providing regular updates on our latest discoveries. OUR RECOMMENDATIONS We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Safety Measures Needed to Prevent Ransomware Attacks * Conduct regular backup practices and keep those backups offline or in a separate network. * Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. * Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. * Refrain from opening untrusted links and email attachments without verifying their authenticity. Users Should Take the Following Steps After the Ransomware Attack * Detach infected devices on the same network. * Disconnect external storage devices if connected. * Inspect system logs for suspicious events. Impact of Akira Ransomware * Loss of valuable data. * Loss of the organization’s reputation and integrity. * Loss of the organization’s sensitive business information. * Disruption in organization operation. * Financial loss. MITRE ATT&CK® TECHNIQUES Tactic Technique ID Technique Name Execution T1204 User ExecutionDiscovery T1082 T1083System Information Discovery File and Directory DiscoveryImpact T1486 T1490 Data Encrypted for Impact Inhibit System Recovery INDICATORS OF COMPROMISE (IOCS) IndicatorsIndicator TypeDescription302f76897e4e5c8c98a52a38c4c98443 9180ea8ba0cdfe0a769089977ed8396a68761b40 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296MD5 SHA1 SHA256Akira Ransomware ELF RECENT BLOGS UNDERGROUND TEAM RANSOMWARE DEMANDS NEARLY $3 MILLION July 5, 2023 SECURITY GAPS IN GREEN ENERGY SECTOR: UNVEILING THE HIDDEN DANGERS OF PUBLIC-FACING PV MEASURING AND DIAGNOSTICS SOLUTIONS July 5, 2023 MULTIPLE NEW CLIPPER MALWARE VARIANTS DISCOVERED IN THE WILD June 30, 2023 PrevPreviousUnveiling Wagner Group’s Cyber-Recruitment NextMultiple New Clipper Malware Variants Discovered in the WildNext July 5, 2023 CRIL analyzes Underground Team, a new ransomware strain employing novel approaches to extort a ransom payment of nearly $3 million. Read More » July 5, 2023 Cyble analyses the threat to Photovoltaic systems via 130k Photovoltaic Monitoring & Diagnostic solutions exposed over the internet. Read More » June 30, 2023 Cyble analyzes various new Clipper malware variants specifically targeting Cryptocurrency users in the wild. Read More » About Us Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Offices: We’re remote-friendly, with office locations around the world: San Francisco, Atlanta, Rome, Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne. UAE: Cyble Middle East FZE Suite 1702, Level 17, Boulevard Plaza Tower 1, Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, Dubai, UAE contact@cyble.com +971 (4) 4018555 USA : Cyble, Inc. 11175 Cicero Drive Suite 100 Alpharetta, GA 30022 contact@cyble.com +1 678 379 3241 India: Cyble Infosec India Private Limited A 602, Rustomjee Central Park, Andheri Kurla Road Chakala, Andheri (East), Maharashtra Mumbai-400093, India contact@cyble.com +1 678 379 3241 Australia : Cyble Pty Limited Level 32, 367 Collins Street Melbourne VIC 3000 Australia contact@cyble.com +61 3 9005 6934 Singapore: Cyble Singapore Private Limited 38 North Canal Road, Singapore 059294 contact@cyble.com +1 678 379 3241 © 2023. Cyble Inc. All Rights Reserved Twitter Linkedin Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customize your consent. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalized content profile; ● Select personalised content; ● Personalized ads, ad measurement and audience insights; ● Product development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences