View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Ransomware gang Akira adds malware targeting Linux to its arsenal

The group has turned its attentions to Linux, joining a number of other cybercriminals with the open source operating system in their sights.

By Claudia Glover

Ransomware gang Akira has updated its operation to include an encryptor that targets VMware ESXI virtual machines running on Linux. Researchers are suggesting that Akira is the latest in a trend of cybercriminals targeting the Linux operating system, heralding an oncoming wave of ransomware attacks. 

Linux OS targeted by Akira ransomware gang. (Photo by T Schneider/Shutterstock)

Akira has attacked 45 organisations since it emerged in April, and appears to be accelerating its activities. 

Akira adds malware targeting Linux to its arsenal

Victims listed on the gang’s blog include asset management company London Capital Group and the Development Bank of Southern Africa. The majority of companies posted to the gang’s dark web blog are situated in the US.

Akira uses double extortion techniques to pressure its victims into paying, meaning it will copy the data before encrypting it to threaten the release of information as well as selling a description key, to pressure a company into handing over a ransom. The ransoms demanded range from $200,000 to millions of dollars.

Targets for the group so far are mainly the professional services, education and manufacturing industries.

Once hit by an attack, the victim organisation’s files will be encrypted and the file names appended with the name Akira. A ransom note will appear on the desktop, explaining with a condescending tone that the easiest path back to the company functioning normally is to pay the ransom. “Let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue,” it says. “We’re fully aware of the damage we have caused by locking your internal sources.”

The trend of ransomware gangs targeting Linux

Many ransomware gangs are joining the trend of adding Linux decryptors to their operations. To date, those who have done so include LockBit, Hive, REvil, Black Basta, Black Matter, HelloKitty, Ransom EXX and AvosLocker. The use of Linux ransomware was exacerbated when sophisticated malware targeting Linux was leaked online by a malicious insider from within the Babuk ransomware gang. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

A report by security company Cyble into Akira’s use of Linux malware notes this trend could herald an “upcoming surge in attacks targeting Linux environments”. 

The fact that a previously Windows-centric ransomware gang is turning its attention to Linux “underscores the increasing vulnerability of these systems to cyber threats,” the report says.

Security companies are more geared up to deal with threats targeting Windows explains Bharat Mistry, researcher at security company Trend Micro. Because of this, hackers see the value of targeting Linux instead. “Less people have trained with Linux, less people are proficient with it, so it’s got less experts from a security standpoint,” he says. “The perceptions have always been that Windows has been the target and not Linux.”

But this has changed as Linux’s usage has grown. The open-source operating system is increasingly being used to host web services for free and to spin up cheap cloud environments using VMware and ESXi virtual machines. An estimated 14 million internet-facing devices running on Linux on any given day, in addition to 46.5% of the top million websites by traffic and 71.8% of IoT devices.

In Mistry’s opinion, Linux is not secure enough for this recent boom in usage, and security vendors put more effort into finding vulnerabilities and faults in Microsoft products. “The attraction isn’t there for Linux,” explained Mistry, making it an “untapped opportunity for cybercriminals”. How much longer this opportunity will remain untapped, remains to be seen. 

Read more: RTM ransomware targets Linux

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.