The Linux version of Akira was first discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week.
BleepingComputer’s analysis of the Linux encryptor shows it has a project name of ‘Esxi_Build_Esxi6,’ indicating the threat actors designed it specifically to target VMware ESXi servers.
For example, one of the project’s source code files is /mnt/d/vcprojects/Esxi_Build_Esxi6/argh.h.
Over the past few years, ransomware gangs have increasingly created custom Linux encryptors to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for servers for improved device management and efficient use of resources.
By targeting ESXi servers, a threat actor can encrypt many servers running as virtual machines in a single run of the ransomware encryptor.
However, unlike other VMware ESXi encryptors analyzed by BleepingComputer, Akira’s encryptors do not contain many advanced features, such as the automatic shutting down of virtual machines before encrypting files using the esxcli command.
Read the full article here: https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/
Read Cyble Analysis here: https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/
