Akira Ransomware Actors are Developing a Rust Variant to Attack ESXi servers. First identified in March 2023, it targets both Windows and Linux systems. It is first identified in March 2023, targets both “Windows” and “Linux” systems.
It employs a double-extortion tactic and has affected numerous organizations, particularly in the U.S. Cybersecurity analysts at Cisco Talos recently identified that Akira ransomware actors have been actively developing a rust variant of Akira to attack ESXi servers.
Akira ransomware has established itself as a challenging cyber threat, evolving its attack methodologies sophisticatedly throughout 2024.
Akira Ransomware New Rust Variant
The ransomware’s technical architecture experienced a significant “transformation,” transitioning from “C++” to “Rust” programming language.
Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here
This happened particularly in its “ESXi encryptor variant” (‘version 2024.1.30’), which now uses the “rust-crypto 0.3.26 library” instead of the previous “Crypto++ library.”
Akira’s operators actively exploit critical vulnerabilities like “CVE-2024-40766 in SonicWall SonicOS,” “CVE-2023-20269 in Cisco VPN services,” and “CVE-2023-48788 in FortiClientEMS software,” to gain unauthorized access.
Once inside a network, they employ sophisticated techniques like “PowerShell scripts” for credential harvesting, “WMI” for deleting system shadow copies (“Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”), and “RDP” for lateral movement.
The ransomware has evolved to target both “Windows” and “Linux” environments with its latest variant using the distinctive “akiranew” extension for encrypted files and deploying the Megazord encryptor alongside its main payload.
Their attack chain begins with “compromising VPN credentials” and “exploiting network appliances,” followed by “privilege escalation” through tools like “Veeam.Backup.
MountService.exe.”Primarily the organizations in “manufacturing” and “professional technical services” sectors are targeted.
It does so by maintaining persistence through sophisticated evasion techniques like “binary padding” and “security tool manipulation.”
Besides this, it seems that the Akira ransomware group is strategically shifting away from their “Rust-based Akira v2 variant.” Instead, they are returning to their traditional “C++ programming approach” for both “Windows” and “Linux” encryption tools.
This tactical change prioritizes operational reliability over innovation. As is evidenced by their “September 2024 samples,” which were found using the familiar extension and notes:-
- .akira file extension
- akira_readme.txt ransom notes
The report reads that due to fewer quarter-round operations, the group has technically enhanced its approach by implementing the “ChaCha8” stream cipher, which performs encryption operations more efficiently than the previously used “ChaCha20” algorithm.
Their Windows variant now incorporates new arguments like “-localonly” and “–exclude,” while evading encryption of system paths like “$Recycle.Bin” and “System Volume Information.”
The Linux version maintains the “–fork” argument for creating child processes during encryption and targets specific file extensions like:
- .4d
- .abd
- .abx
- .ade
- .ckp
- .db
- .dddpl
- .dx
- .edb
- .fo
- .ib
- .idb
- .mdn
- .mud
- .nv
- .pdb
- .sq
- .te
- .ud
- .vdh
For more streamlined operations the group gradually reduced its toolset, and the recent one is “Megazord” which was used for Windows environments. Their strategic focus remains on attacking “VMWare’s ESXi” and “Linux environments.”
These platforms allow simultaneous encryption of multiple VMs and critical workloads through “vmdk” files, which helps in maximizing operational impact while minimizing the need for extensive lateral movement and credential theft within target networks.
Recommendations
Here below we have mentioned all the recommendations:-
- Regularly assess vulnerabilities and apply security patches on ESXi hosts.
- Enforce strong password policies and enable MFA.
- Deploy “SIEM” and “EDR/XDR” for continuous threat monitoring and response.
- Secure ESXi interfaces with access controls, MFA, and RBAC.
- Disable unnecessary WMI access and monitor WMI commands.
- Prevent credential dumping with Windows Defender Credential Guard.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here