Newbie Akira Ransomware Builds Momentum With Linux Shift

A new version of the double-extortion groups malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The
fledgling Akira ransomware group
is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.
The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.
However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed
in a blog post
published June 29.
This move both reflects Akiras evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.
The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats, the researchers wrote in the post.
Indeed, the shift by Akira follows a move by other, more established ransomware — such as
Cl0p
,
Royal
, and
IceFire
ransomware groups — to do the same.
Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.
Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.
Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they dont pay the requested ransom.
The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function
GetLogicalDriveStrings()
to obtain a list of the logical drives currently available in the system.
The malware then drops a ransom note in multiple folders with the file name akira_readme.txt, and proceeds to search for files and directories to encrypt by iterating through them using the API functions
FindFirstFileW()
and
FindNextFileW()
.
The ransomware uses the Microsoft Enhanced RSA and AES Cryptographic Provider libraries to encrypt the victims machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the .akira extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.
Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.
The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didnt pay and associated leaks of their data, the researchers said.
Researchers made a number of recommendations for how organizations
can prevent and mitigate ransomware attacks
. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.
Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.
As ransomware often hitches a ride on
files spread through phishing attacks
, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.
The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Newbie Akira Ransomware Builds Momentum With Linux Shift