Friday, December 1, 2023

Akira Ransomware Expanded its Toolkit to Attack Linux Machines

A newly emerged ransomware known as Akira expands its operations to target Linux-based platforms which add the “.akira” file extension to each compromised file. 

Akira ransomware mostly operating since April 2023, and actively targeting numerous organizations, compromising their sensitive data. 

The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more. 

The group has already compromised 46 publicly disclosed victims, most of whom are in the United States, according to Cyble report.

Technical Analysis of Akira Ransomware: 

The execution of the attack was achieved through the malicious 64-bit Linux executable Linkable Format (ELF) file. 

In order to execute the Akira executable, specific parameters need to be provided.  

The required parameters for running the Akira executable are as follows: 

  • “-p” / “–encryption_path” – Path of files/folder to be encrypted. 
  • “-s” / “–share_file” – Path of the shared network drive to be encrypted 
  • “-n” / “–encryption_percent” – Percentage of the files to be encrypted. 
  • “-fork” – Creating a child process for encryption.   

Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system.

Once the public key is initialized, the Akira ransomware loads a list of predetermined file extensions it intends to target and encrypt. 

encrypt file
Figure: File Extensions Targeted by the Akira Ransomware 

The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. 

When encountering a file with an extension listed, the ransomware proceeds to encrypt the file and leave the ransomware note on the infectious machine. 


The ransomware notes detailed how to reach the group to negotiate ransom and guidance to decrypt their data. 

Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms.  

During attacks, Akira uses a combination of AES and RSA encryption to render the victim’s files inaccessible.  

In addition to encrypting the victim’s files, Akira will also remove the Shadow Volume copies of the files.  

This is done to prevent users from recovering their files using alternative methods.  

The proliferation of ransomware and shift in tactics reflects a growing trend among ransomware groups. 

Indicator of compromise: 

Indicators Indicator Type Description 
Akira Ransomware 

Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles