Akira ransomware introduces Linux encryptor to target VMware ESXi servers

Target Industry

Indiscriminate, opportunistic targeting.

Overview

An escalating threat to global cyber security has been disclosed, with the emergence of the Akira ransomware operation’s capability to encrypt Linux machines, significantly increasing its potential targets. Initially surfacing in March 2023 and targeting Windows systems, Akira has now extended its nefarious operations with a Linux encryptor. This advancement signifies a heightened risk to companies worldwide. Recent developments within the security community suggest that Akira is preparing to launch a campaign against VMware EXSi servers.

Impact

The successful execution of Akira’s Linux encryptor on VMWare ESXi servers could have severe consequences. Not only does this allow for the encryption of numerous servers operating as virtual machines in a single attack, but it also facilitates double-extortion attacks, where threat actors steal sensitive data prior to encryption. Given the extensive reach of this ransomware operation – with over 30 victims already reported in the United States – the potential for widespread data loss, disruption to business operations, and financial damage is considerable.

Vulnerability Detection

To detect the Akira ransomware operation on VMware ESXi servers, organisations should monitor for anomalous activities, particularly those related to file changes. Unusual file extensions such as “.akira”, which the encryptor appends to encrypted files, are an immediate red flag. Additionally, the presence of “akira_readme.txt” ransom note in numerous folders signifies a successful encryption attack. Robust network monitoring coupled with the deployment of the latest threat intelligence feeds is paramount.

Affected Products

The affected product in this scenario is VMware ESXi, a widely adopted server virtualisation platform. Organisations leveraging ESXi for their virtual environments, particularly those running Linux-based virtual machines, are susceptible to this form of attack. It’s important to note that the ransomware Linux encryptor is being designed to target ESXi servers specifically. However, further details about the version-specific vulnerabilities exploited by Akira’s Linux encryptor are currently unknown. Users are recommended to maintain an up-to-date ESXi environment.

Containment, Mitigations & Remediations

Administrators should immediately conduct a comprehensive security audit of their virtual environments. Implement robust access controls, restrict administrative privileges and enforce strong, unique passwords across all accounts. Mitigation strategies include regularly updating and patching ESXi servers to the latest versions provided by VMware to close off any known vulnerabilities.

Threat Landscape

The rise of Akira’s ransomware, particularly its focus on VMware ESXi servers, signifies an evolving threat landscape. This ransomware operation has shown two distinct activity spikes since its emergence, illustrating its growing influence and operational capabilities. The shift to target Linux-based systems, in addition to Windows, shows an expansion in the ransomware’s scope, threatening organisations across various sectors globally.

Mitre Methodologies

Initial Access

T1078 – Valid Accounts

T1133 – External Remote Services

Execution

T1047 – Windows Management Instrumentation

T1053.005 – Scheduled Task

T1059.001 – Command and Scripting Interpreter: PowerShell

Persistence

T1053.005 – Scheduled Task

T1078 – Valid Accounts

T1133 – External Remote Services

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Privilege Escalation

T1053.005 – Scheduled Task

T1078– Valid Accounts

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Defence Evasion

T1036.004 – Masquerading: Masquerade Task or Service

T1078 – Valid Accounts

T1497.001 – Virtualization/Sandbox Evasion: System Checks

T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion

T1562.001 – Impair Defenses: Disable or Modify Tools

Credential Access

T1003.001 – OS Credential Dumping: LSASS Memory

Discovery

T1018 – Remote System Discovery

T1057 – Process Discovery

T1082 – System Information Discovery

T1083 – File and Directory Discovery

T1217 – Browser Information Discovery

T1497.001 – Virtualization/Sandbox Evasion: System Checks

T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion

Collection

T1005 – Data from Local System

Command and Control

T1219 – Remote Access Software

Impact

T1486 – Data Encrypted for Impact

T1490 – Inhibit System Recovery

Further Information

Bleeping Computer article