Ransomware gang Akira has updated its operation to include an encryptor that targets VMware ESXI virtual machines running on Linux. Researchers are suggesting that Akira is the latest in a trend of cybercriminals targeting the Linux operating system, heralding an oncoming wave of ransomware attacks.
Akira has attacked 45 organisations since it emerged in April, and appears to be accelerating its activities.
Akira adds malware targeting Linux to its arsenal
Victims listed on the gang’s blog include asset management company London Capital Group and the Development Bank of Southern Africa. The majority of companies posted to the gang’s dark web blog are situated in the US.
Akira uses double extortion techniques to pressure its victims into paying, meaning it will copy the data before encrypting it to threaten the release of information as well as selling a description key, to pressure a company into handing over a ransom. The ransoms demanded range from $200,000 to millions of dollars.
Targets for the group so far are mainly the professional services, education and manufacturing industries.
Once hit by an attack, the victim organisation’s files will be encrypted and the file names appended with the name Akira. A ransom note will appear on the desktop, explaining with a condescending tone that the easiest path back to the company functioning normally is to pay the ransom. “Let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue,” it says. “We’re fully aware of the damage we have caused by locking your internal sources.”
The trend of ransomware gangs targeting Linux
Many ransomware gangs are joining the trend of adding Linux decryptors to their operations. To date, those who have done so include LockBit, Hive, REvil, Black Basta, Black Matter, HelloKitty, Ransom EXX and AvosLocker. The use of Linux ransomware was exacerbated when sophisticated malware targeting Linux was leaked online by a malicious insider from within the Babuk ransomware gang.
A report by security company Cyble into Akira’s use of Linux malware notes this trend could herald an “upcoming surge in attacks targeting Linux environments”.
The fact that a previously Windows-centric ransomware gang is turning its attention to Linux “underscores the increasing vulnerability of these systems to cyber threats,” the report says.
Security companies are more geared up to deal with threats targeting Windows explains Bharat Mistry, researcher at security company Trend Micro. Because of this, hackers see the value of targeting Linux instead. “Less people have trained with Linux, less people are proficient with it, so it’s got less experts from a security standpoint,” he says. “The perceptions have always been that Windows has been the target and not Linux.”
But this has changed as Linux’s usage has grown. The open-source operating system is increasingly being used to host web services for free and to spin up cheap cloud environments using VMware and ESXi virtual machines. An estimated 14 million internet-facing devices running on Linux on any given day, in addition to 46.5% of the top million websites by traffic and 71.8% of IoT devices.
In Mistry’s opinion, Linux is not secure enough for this recent boom in usage, and security vendors put more effort into finding vulnerabilities and faults in Microsoft products. “The attraction isn’t there for Linux,” explained Mistry, making it an “untapped opportunity for cybercriminals”. How much longer this opportunity will remain untapped, remains to be seen.