Akira ransomware has emerged as a significant threat, particularly targeting Linux systems. The ransom note indicates extensive data encryption and the removal of backups. The attack strategy involves sophisticated parameters for encryption and an efficient identity concealment approach, emphasizing the group’s experience in ransomware operations. Affected: corporate infrastructure, Linux systems, backup data, database files, virtual machine files
Keypoints :
- Akira ransomware targets internal corporate infrastructures, claiming to have encrypted data and removed backups.
- It utilizes various parameters for efficient data encryption and to expand its attack surface.
- The attack includes a ransom note with contact methods and demands for anonymous payments.
- It supports the encryption of a wide range of file types including databases and virtual machine files.
- The encryption strategy combines AES and RSA algorithms to secure data effectively.
MITRE Techniques :
- T1486: Data Encrypted for Impact – Akira encrypts internal company data extensively.
- T1071: Application Layer Protocol – The ransomware utilizes network shares for file encryption through specified parameters.
- T1460: File and Directory Discovery – It retrieves system statistics and file counts from /proc/stat and /proc/cpuinfo.
- T1082: System Information Discovery – The ransomware gathers information about the CPU and file system architecture to optimize attacks.
Indicator of Compromise :
- [MD5] 6B03B31C8CBD4A0A5829B63D16936ED3
- [SHA-1] a90790c35bea365befd3af55cbedfffd2cc4481b
- [URL] hxxps[:]//akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion
- [URL] hxxps[:]//akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html