CRIL Researchers Discover Linux Variant Of Akira Ransomware


Researchers have found the Linux variant of Akira ransomware, marking a shift in tactics for the group.

In a recent report, Cyble Research and Intelligence Labs (CRIL) has detailed about a sophisticated Linux variant of Akira ransomware, raising concerns about the increasing vulnerability of Linux environments to cyber threats.

Akira ransomware group has been actively targeting numerous organizations across various sectors, posing a significant threat to their cybersecurity and sensitive data.

Linux variant of Akira ransomware: The transition

Since its emergence in April 2023, Akira ransomware has already compromised a total of 46 publicly disclosed victims.

Notably, an additional 30 victims have been identified since CRIL’s previous report on Akira ransomware, indicating the group’s growing reach. The majority of these victims are based in the United States.

The affected organizations span across various industries, including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, and Professional Services, among others.

The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file.

To execute the Akira executable, specific parameters must be provided, such as the path of files/folders to be encrypted, the path of the shared network drive to be encrypted, the percentage of files to be encrypted, and the creation of a child process for encryption.

Linux variant of Akira ransomware
Geographical distribution of Akira ransomware victims

Linux variant of Akira ransomware: Technical details

To run the Linux variant of Akira ransomware, specific instructions, called parameters, need to be given.

These parameters include things like the location of the files or folders to be encrypted, the shared network drive to be encrypted, the percentage of files to be encrypted, and creating a child process for encryption.

When the ransomware is executed, it uses a special type of encryption called RSA to lock the files on the computer. This encryption makes the files unreadable without the decryption key.

The ransomware has a list of specific file types it targets for encryption. These file types include various extensions like documents, databases, images, and more. If a file matches any of these extensions, the ransomware will encrypt it.

The Linux variant of Akira ransomware uses different symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES, to perform the encryption process. These algorithms help scramble the data in the files, making them inaccessible.

Once the files are encrypted, the ransomware adds the “.akira” file extension to each compromised file. This change in the file extension helps identify the files that have been encrypted.

Upon execution, Akira ransomware loads a predetermined RSA public key to initiate the encryption process.

The ransomware targets specific file extensions, encrypting files using multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES.

Each compromised file is appended with the “.akira” file extension, and a ransom note is deposited on the victim’s system.

Akira ransomware, the latest to hit Linux

The Linux variant of Akira ransomware highlights the increasing vulnerability of systems on Linux platforms to cyber threats.

As such, organizations utilizing Linux environments must remain vigilant and implement robust security measures to protect against ransomware attacks.

To protect against Linux variant of Akira ransomware, it is crucial to implement the following cybersecurity best practices:

Regular backup practices: Conduct regular backups of important data and ensure they are stored offline or in a separate network. This precautionary measure allows users to restore their data without paying the ransom in the event of an attack.

Automatic software updates: Enable the automatic software update feature on all connected devices, including computers, mobile devices, and IoT devices. Regular software updates often include critical security patches that address vulnerabilities exploited by ransomware and other malware.

Reputed antivirus and internet security software: Install and regularly update a reputable antivirus and internet security software package on all connected devices. These software solutions can detect and mitigate ransomware threats, providing an additional layer of protection.

Exercise caution with links and email attachments: Avoid clicking on untrusted links or opening email attachments from unknown or suspicious sources. Verify the authenticity of such links and attachments before interacting with them, as they can serve as gateways for ransomware infections.





Source link