Akira Ransomware Expanded its Toolkit to Attack Linux Machines

A newly emerged ransomware known as Akira expands its operations to target Linux-based platforms which add the “.akira” file extension to each compromised file. 

Akira ransomware mostly operating since April 2023, and actively targeting numerous organizations, compromising their sensitive data. 

The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more. 

The group has already compromised 46 publicly disclosed victims, most of whom are in the United States, according to Cyble report.

Technical Analysis of Akira Ransomware:

The execution of the attack was achieved through the malicious 64-bit Linux executable Linkable Format (ELF) file. 

In order to execute the Akira executable, specific parameters need to be provided.  

The required parameters for running the Akira executable are as follows: 

  • “-p” / “–encryption_path” – Path of files/folder to be encrypted.
  • “-s” / “–share_file” – Path of the shared network drive to be encrypted
  • “-n” / “–encryption_percent” – Percentage of the files to be encrypted.
  • “-fork” – Creating a child process for encryption.

Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system.

Once the public key is initialized, the Akira ransomware loads a list of predetermined file extensions it intends to target and encrypt. 

encrypt fileencrypt file
Figure: File Extensions Targeted by the Akira Ransomware

The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. 

When encountering a file with an extension listed, the ransomware proceeds to encrypt the file and leave the ransomware note on the infectious machine. 

The ransomware notes detailed how to reach the group to negotiate ransom and guidance to decrypt their data. 

Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms.  

During attacks, Akira uses a combination of AES and RSA encryption to render the victim’s files inaccessible.  

In addition to encrypting the victim’s files, Akira will also remove the Shadow Volume copies of the files.  

This is done to prevent users from recovering their files using alternative methods.  

The proliferation of ransomware and shift in tactics reflects a growing trend among ransomware groups. 

Indicator of compromise:

Indicators Indicator Type Description
302f76897e4e5c8c98a52a38c4c98443
9180ea8ba0cdfe0a769089977ed8396a68761b40
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
MD5
SHA1
SHA256
Akira Ransomware
ELF
Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit…

7 minutes ago

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by the…

15 minutes ago

DragonForce: Emerging Hybrid Cyber Threat in the 2025 Ransomware Landscape

DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat that…

22 minutes ago

Mirai Botnet Actively Targeting GeoVision IoT Devices for Command Injection Exploits

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command injection…

59 minutes ago

IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its Cognos…

2 hours ago

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify Studio platform,…

2 hours ago