Akira Ransomware Extends Reach To Linux Platform – Cyble

Threat Actors Target Multiple Sectors in Wide-Ranging Attacks

Ransomware poses a significant risk to cybersecurity and remains a highly successful form of cybercrime that presents serious challenges for organizations. It has emerged as a lucrative enterprise for cybercriminals, leading to profound implications, including financial and data losses, as well as detrimental effects on the reputation of the organizations targeted.

Cyble Research and Intelligence Labs (CRIL) have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform. CRIL came across a sophisticated Linux variant of the Akira ransomware.

Since its emergence in April 2023, Akira ransomware has already compromised 46 publicly disclosed victims, with an additional 30 victims identified since our previous blog post. The majority of these victims are located in the United States. Here is a breakdown of the countries where the victims have been identified.

Figure 1 Geographical distribution of Victims
Figure 1 – Geographical Distribution of Victims

The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more.

The figure below shows industries targeted by the Akira ransomware.

Figure 2 Industries Targeted by Akira Ransomware
Figure 2 – Industries Targeted by Akira Ransomware

Technical Details

The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file with SHA256 as 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296.

Figure 3 File Details of the Akira Ransomware Linux
Figure 3 – File Details of the Akira Ransomware Linux Executable

In order to execute the Akira executable, specific parameters need to be provided. The required parameters for running the Akira executable are as follows:

  • “-p” / “–encryption_path” – Path of files/folder to be encrypted.
  • “-s” / “–share_file” – Path of the shared network drive to be encrypted
  • “-n” / “–encryption_percent” – Percentage of the files to be encrypted.
  • “-fork” – Creating a child process for encryption.
Figure 4 Ransomware Command Line Parameters
Figure 4 – Ransomware Command Line Parameters

Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system.

The figure below presents the hardcoded public key utilized by the Akira ransomware.

Figure 5 Akira Ransomware Hardcoded RSA Public Key
Figure 5 – Akira Ransomware Hardcoded RSA Public Key

Following the initialization of the public key, the Akira ransomware loads a list of predetermined file extensions that it intends to target and encrypt.

The figure below illustrates the file extensions that are specifically targeted by the Akira ransomware.

Figure 6 File Extensions Targeted by the Akira Ransomware
Figure 6 – File Extensions Targeted by the Akira Ransomware

The table provided below encompasses a comprehensive list of the file extensions targeted by Akira ransomware.

vdi vhd vmdk pvm vmem vmsn vmsd nvram
vmx raw qcow2 subvo bin vsv avhd vmrs
vhdx avdx vmcx iso mar odb scx wdb
4dd cma dqy frm mas oqy sdb wmdb
accdb cpd dsk gdb mav orx sdc wrk
accdc dacpac dsn grdb mdb owc sdf xdb
accde dad dtsx gwi mdf p96 sis xld
accdr dadiagrams eco hdb mpd p97 spq xmlff
accdt daschema ecx his mrg pan sqlite abcddb
accft db-shm edb idb mud pdb sqlite3 abs
adb db-wa epim ihx mwb pdm sqlitedb abx
ade db3 exb itdb myd pnz temx accdw
adf dbc fcd itw ndf qry tmd adn
adp dbf fdb jet nnt qvd tps db2
arc dbs fic jtx nrmlib rbf trc fm5
ora dbt fmp kdb ns2 rctd trm hjt
alf dbv fmp12 kexi ns3 rod udb icg
ask dbx fmps kexic ns4 rodx usr icr
btr dcb fp3 kexis nsf rpd v12 kdb
bdf dct fp4 lgc nv2 rsd vis lut
cat dcx fp5 lwx nwdb sas7bdat vpd maw
cdb dlis fp7 maf nyf sbf vvv mdn
ckp dp1 fpt maq mdt  

The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. When encountering a file with an extension listed in the previously mentioned extensions, the ransomware proceeds to encrypt the file.

The image below illustrates the routine specifically implemented for AES encryption within the ransomware.

Figure 7 Akira Ransomware Routine Related to AES Encryption
Figure 7 – Akira Ransomware Routine Related to AES Encryption

Next, to successfully encrypt the files, the ransomware adds the “.akira” file extension to each compromised file and deposits a pre-defined ransom note onto the victim’s system.

The figure below displays the exact contents of the ransom note, which have been hardcoded into the ransomware.

Figure 8 Ransom note Hardcoded into The Akira Ransomware
Figure 8 – Ransom note Hardcoded into The Akira Ransomware Executable


Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms. This shift in tactics reflects a growing trend among ransomware groups, indicating an upcoming surge in attacks targeting Linux environments. The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats.

CRIL maintains vigilant monitoring of emerging ransomware campaigns to ensure our readers are well-informed, providing regular updates on our latest discoveries.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact of Akira Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution  T1204  User Execution
Discovery    T1082
System Information Discovery
File and Directory Discovery
Impact   T1486 
Data Encrypted for Impact 
Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
Akira Ransomware

Source: https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/