Since June 2023, instances of Akira ransomware targeting Linux systems have been identified, tracing back their wider activities to April. The initial infection strategy entails exploiting vulnerabilities in publicly accessible services and applications. This group also exhibits a tendency to exploit weaknesses in multi-factor authentication protocols, or exploit the absence of such security measures. Remarkably indiscriminate, Akira ransomware assailants have directed their attacks towards various sectors including education, finance, manufacturing, real estate, and healthcare.
Typically, the Akira ransomware, especially its Linux variants, borrows techniques from the
Conti ransomware. The encryption process on compromised devices employs the Crypto++ library. Notably, the Akira ransomware comes with a concise set of commands that lack options for shutting down virtual machines prior to encryption. Nevertheless, attackers possess some degree of influence over the encryption pace and the feasibility of recovery for victims, achievable through the utilization of the "-n" parameter. Elevating this value results in a more extensive encryption of files, leading to slower processing speeds but reducing the likelihood of recovery without the required decryption tools.
Recognizable for their retro-themed branding, Akira's operators exhibit connections to the Conti ransomware group, evident through shared interactions and traces of Conti's source code within Akira's operations. The trajectory of their non-Windows payloads will be of interest to observe, particularly how these strategies evolve over time and diverge from the Conti ransomware foundation.
Akira Ransomware Signatures
Family: Ransom:Linux/Akira.A!MTB
MD5: 302f76897e4e5c8c98a52a38c4c98443
SHA256: 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
Akira Ransomware Download