Akira ransomware has expanded its attack capabilities and is leveraging a Linux encryptor to target VMware ESXi virtual machines. This adaptation allows Akira to execute double-extortion attacks on companies globally. Read on to learn more about this critical vulnerability.
Initially discovered in March 2023, Akira is a newer entrant to the ransomware landscape. Akira ransomware claims to have attacked 45 organizations in the short time it’s been in operation, and the majority of the target companies reside in the U.S. Victims range from a small child care center to large financial organizations.
Akira’s operation, which has primarily targeted Windows systems across a range of sectors, now includes a project named ‘Esxi_Build_Esxi6’ specifically designed to attack VMware ESXi servers.
The Linux version of Akira employs command line arguments that allow threat actors to customize their attacks, including designating the percentage of data encrypted on each file. Interestingly, this version of Akira seems to have been ported from the Windows version, given its propensity to skip folders and files typically associated with Windows.
Once activated, the Akira ransomware encrypts a broad range of file extensions, renames files with the .akira extension, and leaves a ransom note named akira_readme.txt in each folder on the encrypted device.
Nuspire actively threat hunts for indications of compromise within managed client environments.
The Akira ransomware is a significant and growing threat to organizations around the world. As such, it is recommended that companies:
This situation underscores the importance of adopting comprehensive cybersecurity measures to protect against evolving and sophisticated threats like Akira ransomware.