blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
Submission: On July 06 via manual from IN — Scanned from DE
Submission: On July 06 via manual from IN — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
AKIRA RANSOMWARE EXTENDS REACH TO LINUX PLATFORM
* June 28, 2023
THREAT ACTORS TARGET MULTIPLE SECTORS IN WIDE-RANGING ATTACKS
Ransomware poses a significant risk to cybersecurity and remains a highly
successful form of cybercrime that presents serious challenges for
organizations. It has emerged as a lucrative enterprise for cybercriminals,
leading to profound implications, including financial and data losses, as well
as detrimental effects on the reputation of the organizations targeted.
Cyble Research and Intelligence Labs (CRIL) have recently shared crucial details
about the activities of a newly identified ransomware group known as “Akira.”
This group is actively targeting numerous organizations, compromising their
sensitive data. It is worth noting that Akira ransomware has expanded its
operations to include the Linux platform. CRIL came across a sophisticated Linux
variant of the Akira ransomware.
Since its emergence in April 2023, Akira ransomware has already compromised 46
publicly disclosed victims, with an additional 30 victims identified since our
previous blog post. The majority of these victims are located in the United
States. Here is a breakdown of the countries where the victims have been
identified.
Figure 1 – Geographical Distribution of Victims
The Akira ransomware specifically targeted a wide range of industries during its
attacks, encompassing sectors including Education, Banking, Financial Services
and Insurance (BFSI), Manufacturing, Professional Services, and more.
The figure below shows industries targeted by the Akira ransomware.
Figure 2 – Industries Targeted by Akira Ransomware
TECHNICAL DETAILS
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
The malicious Linux executable is a 64-bit Linux Executable and Linkable Format
(ELF) file with SHA256 as
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296.
Figure 3 – File Details of the Akira Ransomware Linux Executable
In order to execute the Akira executable, specific parameters need to be
provided. The required parameters for running the Akira executable are as
follows:
* “-p” / “–encryption_path” – Path of files/folder to be encrypted.
* “-s” / “–share_file” – Path of the shared network drive to be encrypted
* “-n” / “–encryption_percent” – Percentage of the files to be encrypted.
* “-fork” – Creating a child process for encryption.
Figure 4 – Ransomware Command Line Parameters
Upon execution, the Akira ransomware loads a pre-determined RSA public key to
encrypt files in the system.
The figure below presents the hardcoded public key utilized by the Akira
ransomware.
Figure 5 – Akira Ransomware Hardcoded RSA Public Key
Following the initialization of the public key, the Akira ransomware loads a
list of predetermined file extensions that it intends to target and encrypt.
The figure below illustrates the file extensions that are specifically targeted
by the Akira ransomware.
Figure 6 – File Extensions Targeted by the Akira Ransomware
The table provided below encompasses a comprehensive list of the file extensions
targeted by Akira ransomware.
vdivhdvmdkpvmvmemvmsnvmsdnvramvmxrawqcow2subvobinvsvavhdvmrsvhdxavdxvmcxisomarodbscxwdb4ddcmadqyfrmmasoqysdbwmdbaccdbcpddskgdbmavorxsdcwrkaccdcdacpacdsngrdbmdbowcsdfxdbaccdedaddtsxgwimdfp96sisxldaccdrdadiagramsecohdbmpdp97spqxmlffaccdtdaschemaecxhismrgpansqliteabcddbaccftdb-shmedbidbmudpdbsqlite3absadbdb-waepimihxmwbpdmsqlitedbabxadedb3exbitdbmydpnztemxaccdwadfdbcfcditwndfqrytmdadnadpdbffdbjetnntqvdtpsdb2arcdbsficjtxnrmlibrbftrcfm5oradbtfmpkdbns2rctdtrmhjtalfdbvfmp12kexins3rodudbicgaskdbxfmpskexicns4rodxusricrbtrdcbfp3kexisnsfrpdv12kdbbdfdctfp4lgcnv2rsdvislutcatdcxfp5lwxnwdbsas7bdatvpdmawcdbdlisfp7mafnyfsbfvvvmdnckpdp1fptmaqmdt
The ransomware incorporates routines associated with multiple symmetric key
algorithms, including AES, CAMELLIA, IDEA-CB, and DES. When encountering a file
with an extension listed in the previously mentioned extensions, the ransomware
proceeds to encrypt the file.
The image below illustrates the routine specifically implemented for AES
encryption within the ransomware.
Figure 7 – Akira Ransomware Routine Related to AES Encryption
Next, to successfully encrypt the files, the ransomware adds the “.akira” file
extension to each compromised file and deposits a pre-defined ransom note onto
the victim’s system.
The figure below displays the exact contents of the ransom note, which have been
hardcoded into the ransomware.
Figure 8 – Ransom note Hardcoded into The Akira Ransomware Executable
CONCLUSION
Akira Ransomware, which was initially focused on Windows systems, has now
expanded its target range to include Linux platforms. This shift in tactics
reflects a growing trend among ransomware groups, indicating an upcoming surge
in attacks targeting Linux environments. The fact that a previously
Windows-centric ransomware group is now turning its attention to Linux
underscores the increasing vulnerability of these systems to cyber threats.
CRIL maintains vigilant monitoring of emerging ransomware campaigns to ensure
our readers are well-informed, providing regular updates on our latest
discoveries.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
* Conduct regular backup practices and keep those backups offline or in a
separate network.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
* Detach infected devices on the same network.
* Disconnect external storage devices if connected.
* Inspect system logs for suspicious events.
Impact of Akira Ransomware
* Loss of valuable data.
* Loss of the organization’s reputation and integrity.
* Loss of the organization’s sensitive business information.
* Disruption in organization operation.
* Financial loss.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Execution T1204 User
ExecutionDiscovery T1082
T1083System Information Discovery
File and Directory DiscoveryImpact T1486
T1490 Data Encrypted for Impact
Inhibit System Recovery
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator TypeDescription302f76897e4e5c8c98a52a38c4c98443
9180ea8ba0cdfe0a769089977ed8396a68761b40
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296MD5
SHA1
SHA256Akira Ransomware
ELF
RECENT BLOGS
UNDERGROUND TEAM RANSOMWARE DEMANDS NEARLY $3 MILLION
July 5, 2023
SECURITY GAPS IN GREEN ENERGY SECTOR: UNVEILING THE HIDDEN DANGERS OF
PUBLIC-FACING PV MEASURING AND DIAGNOSTICS SOLUTIONS
July 5, 2023
MULTIPLE NEW CLIPPER MALWARE VARIANTS DISCOVERED IN THE WILD
June 30, 2023
PrevPreviousUnveiling Wagner Group’s Cyber-Recruitment
NextMultiple New Clipper Malware Variants Discovered in the WildNext
July 5, 2023
CRIL analyzes Underground Team, a new ransomware strain employing novel
approaches to extort a ransom payment of nearly $3 million.
Read More »
July 5, 2023
Cyble analyses the threat to Photovoltaic systems via 130k Photovoltaic
Monitoring & Diagnostic solutions exposed over the internet.
Read More »
June 30, 2023
Cyble analyzes various new Clipper malware variants specifically targeting
Cryptocurrency users in the wild.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences