Inside Akira Ransomware’s Rust Experiment

Summary:
Check Point Research provides an in-depth analysis of the Akira ransomware’s Rust version, which specifically targets ESXi servers. The report highlights the complexities of reverse-engineering Rust binaries and the design choices made by the malware authors. It emphasizes the unique features of the ransomware and the challenges faced in understanding its control flow and encryption logic.
#AkiraRansomware #RustMalware #ESXiThreats

Keypoints:

Akira ransomware has evolved into a Rust version targeting ESXi servers.
Rust binaries are notoriously difficult to reverse-engineer due to compiler optimizations.
The malware utilizes a command-line interface (CLI) for operational control.
Control flow includes functions for argument parsing, default actions, and encryption logic.
The ransomware employs a hybrid encryption method using both asymmetric and symmetric ciphers.
Key features include the ability to specify the number of threads for encryption operations.
Inlined library code complicates reverse-engineering efforts.
The malware writes a ransom note after encrypting files, indicating the extent of the attack.

MITRE Techniques:

Command and Control (T1071): Utilizes command-line arguments to control malware behavior and execution.
Execution (T1203): Executes commands to terminate virtual machines and encrypt files.
Data Encrypted for Impact (T1486): Encrypts files to demand ransom from victims.

IoC:

[file hash] 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
[file name] akiranew.txt
[file extension] .akiranew
[command] awk ‘{system(“vim-cmd vmsvc/power.off ” $1)}’

Full Research: https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/

Tags: IMPACT, full, RAAS

Check this following Post also