Attention! The Linux version of Akira ransomware for VMware ESXi servers
AD |
Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting
Akira ransomware uses Linux encryptors to encrypt VMWareESXi virtual machines, thereby conducting dual ransomware attacks on global enterprises.
Akira first appeared in March 2023, targeting Windows systems in multiple industries such as education, finance, real estate, manufacturing, and consulting.
Like other ransomware gangs targeting businesses, these attackers steal data from compromised networks, encrypt files, perform double ransomment on victims, and demand ransom payments of up to millions of dollars.
Since its launch, more than 30 victims have been victimized in North America alone, with two clear activity peaks in ID ransomware submissions at the end of May and now.

Akira's past few months of activities MOVEit
Akira for VMware ESXi
The Linux version of Akira was first discovered by malware analyst Rivitna, who shared a sample of a new encryptor on VirusTotal last week.
Analysis shows that the project name of the encryptor is "Esxi_Build_Esxi6", indicating that the attacker specifically designed it for the VMware ESXi server.
For example, a source code file for a project is
/Mnt/d/vcprojects/Essi_ Build_ Esxi6/argh. h.
In the past few years, as businesses have shifted to using virtual machines as servers to improve device management and effectively utilize resources, ransomware gangs have created many custom Linux encryptors to encrypt VMWareESXi servers.
By targeting ESXi servers, attackers can encrypt many servers running as virtual machines in one run of the ransomware encryptor.
However, unlike other VMwareESXi encryptors, Akira's encryptor does not include many advanced features, such as automatically shutting down virtual machines before encrypting files using the esxcli command.
Having said that, binary files do support some command-line parameters, allowing attackers to customize attacks:
-P - encryption_ Path (target file/folder path)
-S - share_ File (destination network drive path)
-N - encryption_ Percentage (encryption percentage)

Akira Encrypted Files on Linux Server
-The n parameter is particularly noteworthy as it allows attackers to define how much data is encrypted on each file.
The lower this setting, the faster the encryption speed, but victims are more likely to recover their original files without paying a ransom.
When encrypting files, the LinuxAkira encryptor will target the following extensions:
. 4dd,. accdb,. accdc,. accde,. accdr,. accdt,. accft,. adb,. ade,. adf,. adp,. arc,. ora,. af,. ask,. btr,. bdf,. cat,. cdb,. ckp,. cma,. cpd,. dacpac,. dad,. diagrams,. daschema,. db shm,. db wa,. db3,. dbc,. dbf,. dbs,. dbt,. dbv,. dbx,. dcb. dct,. dcx,. dlis,. dp1,. dqy,. dsk,. dsn,. dtsx,. eco,. ecx,. edb,. epim,. exb,. fcd,. fdb,. fics,. fmp,. fmp12,. fmps,. fp3,. fp4,. fp5,. fp7,. fpt,. frm,. gdb,. grdb,. gwi,. hdb,. is,. idb,. ihx,. itdb,. itw,. net,. jtx, . kdb,. kexi,. kexi,. kexis,. lgc,. lwx,. maf,. maq,. mar,. mas,. mav,. mdb,. mdf,. mpd,. mrg,. mud,. mwb,. myd,. ndf,. nnt,. nrmlib,. ns2,. ns3,. ns4,. nsf,. nv2,. nwdb,. nyf,. odb,. oqy,. orx,. owc,. p96,. p97,. pan,. pdb,. pdm,. pdm,. nz,. qry,. qvd,. rbf,. rctd,. rod,. rodx,. rpd,. rsd,. sas7bdat,. sbf,. scx,. sdb,. sdc,. sdf,. sis,. spq,. sqlite,. sqlite3,. sqlitedb,. temx,. tmd,. tps,. trc,. trm,. udb,. usr,. v12,. vis,. vpd,. vvv,. wdb,. wmdb,. wrk,. xdb. xld, . xmlff,. abcddb,. abs,. abx,. accdw,. adn,. db2,. fm5,. hjt,. icg,. icr,. lut,. aw,. mdn,. mdt,. vdi,. vhd,. vmdk,. pvm,. vmem,. vmsn,. vmsd,. nvram,. vmx,. raw,. qcow2,. subvo,. bin,. vsv,. avhd,. vmrs,. vhdx,. avdx,. vmcx,. iso -
Strangely, the Linux lock seems to have skipped the following folders and files, which are all related to Windows folders and executable files, indicating that Akira's Linux variant was ported from the Windows version.
Winnt, temp, thumb, $Recycle. Bin, $RECYCLE. BIN, SystemVolumeInformation, Boot, Windows, TrendMicro,. exe,. dll,. lnk,. sys,. msi
Cyber analysts have also released a report on the Akira Linux version, explaining that the encryptor includes a public RSA encryption key and utilizes multiple symmetric key algorithms for file encryption, including AES, CAMELLIA, IDEA-CB, and DES.
The symmetric key is used to encrypt the victim's file, and then the RSA public key is used for encryption. This will prevent access to the decryption key unless you have an RSA private decryption key that is only held by the attacker.

RSA public key used by Akira (Cyber)
Encrypted file renamed to. akira extension and named akira_ The hard coded ransom notification for readme.txt will be created in each folder on the encrypted device.

Ransom notifications for Akira on Linux servers
Akira's recent announcement of the number of victims reflects the expansion of its target range, which will only exacerbate the threat faced by global organizations.
Unfortunately, in ransomware organizations, increasing Linux support is a growing trend, and many people use ready-made tools to achieve this because it is a simple and almost foolproof way to increase profits.
Other ransomware operations using Linux ransomware encryptors mainly target VMWareESXi, including Royal, BlackBasta, LockBit, BlackMatter, AvosLocker, REVil, HelloKitty, RansomEXX, and Hive.
The Sexun Simulation Attack Library now includes attack methods for Akira ransomware. You can search for the keyword "Akira" in the Sexun Security Measurement Verification Platform to obtain relevant attack simulation experiments. You can also search for other ransomware keywords such as "LockBit", "BlackMatter", etc. to verify whether your security defense system can effectively respond to various attack techniques used by these organizations.
Recommended Reading
New dimension of email fraud! Utilizing partnerships to bypass multifactor authentication
Clop ransomware gang or related to MOVEit data theft attacks
Official account: Saixun verification
Disclaimer: The content of this article is sourced from the internet. The copyright of the text, images, and other materials belongs to the original author. The platform reprints the materials for the purpose of conveying more information. The content of the article is for reference and learning only, and should not be used for commercial purposes. If it infringes on your legitimate rights and interests, please contact us promptly and we will handle it as soon as possible! We respect copyright and are committed to protecting it. Thank you for sharing.(Email:[email protected])
Mobile advertising space rental |
Tag: Attention The Linux version of Akira ransomware for VMware
Seven Flagship Mobile Phone Endurance Horizontal Review: iPhone Still Strong, Glory Almost Exceeds
NextIOS WeChat has released the official version 8.0.39, with adjustments made to these features
Guess you like
-
Haier Smart Home's 8th Global R&D Innovation Awards: Illuminating Better Lives with Technology, Achieving User SatisfactionDetail
2025-04-02 15:57:33 1
-
Huawei's 2025 China Digital Power Partner Conference: Carbon-Neutral Path for China, Shared Value CreationDetail
2025-03-31 18:57:09 1
-
OPPO Think Tank: A New Paradigm for Chinese Enterprises' Globalization From Wusha Village to the Global High-End MarketDetail
2025-03-31 18:48:21 1
-
ICLR 2025: Chinese Universities and Companies Showcase AI Prowess with Numerous Accepted Papers; Stanford-HKUST Collaboration Achieves Perfect ScoreDetail
2025-03-31 14:54:45 1
-
Huawei HarmonyOS Smart Home Partner Summit: Deep Dive into Spatial Intelligence Transformation and Ecosystem Development StrategyDetail
2025-03-31 13:01:45 1
-
AI Large Models Drive Innovation in Humanoid Robots and Autonomous Driving: 2025 as a Key MilestoneDetail
2025-03-31 13:00:04 1
-
Eight Cities Pilot Credit Supervision Data Openness, Empowering Micro and Small Enterprises with Mobile Payment PlatformsDetail
2025-03-26 09:32:47 1
-
Xiaomi's "Just a Little Profit": The Deep Logic and Sustainability Behind its Low-Margin StrategyDetail
2025-03-25 15:07:32 21
- Detail
-
The Ninth Huawei ICT Competition China Challenge Finals Conclude Successfully: Kunpeng and Ascend Tracks Crown Their ChampionsDetail
2025-03-24 16:26:03 11
-
Ronshen Sugar Cube Refrigerator: The Official Product of the 2025 FIFA Club World Cup, Ushering in a New Era of Healthy Food PreservationDetail
2025-03-24 15:40:35 1
-
Zhihu Launches New Version of Zhihu Straight Answer: Deep Integration of AI and Community to Enhance Professionalism and CredibilityDetail
2025-03-24 14:04:38 1
-
China Construction Ninth Harmony (Zhongjian Jiuhe) and Huawei HarmonyOS Smart Home Deepen Strategic Partnership at AWE2025, Building a Green and Intelligent Future HomeDetail
2025-03-23 15:21:15 41
-
ZuoYeBang Books Leads the New Trend in Intelligent Education Publishing at Changsha Book FairDetail
2025-03-21 15:15:33 1
-
Tianyancha: Shielding Consumer Safety and Reshaping Business Trust with DataDetail
2025-03-21 08:47:58 1
-
Hisense at AWE2025: AI Empowerment, Leading the Transformation of Future Smart LivingDetail
2025-03-20 18:24:11 1
-
Haier TV Makes a Stunning Debut at AWE 2024: Zhiyuan AI Large Model and PureScene Care Screen Usher in a New Era of Smart HomesDetail
2025-03-20 15:17:20 1
-
China Power's Xin Yuan Zhi Chu (New Source Smart Storage): Open Energy Intelligence Computing Center Leads Intelligent Transformation of the Energy IndustryDetail
2025-03-20 15:15:39 1
-
Leader's All-in-One Three-Drum Washing Machine: Say Goodbye to Laundry Hassles and Embrace a "Refined Lazy" LifestyleDetail
2025-03-20 11:32:30 21
-
Ningxia Jinhe Dairy: Riding the Pinduoduo Wave, a Legacy Brand Finds New Life and Expands NationallyDetail
2025-03-19 16:13:01 21