Security News > 2023 > June > Linux version of Akira ransomware targets VMware ESXi servers

The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.

BleepingComputer's analysis of the Linux encryptor shows it has a project name of 'Esxi Build Esxi6,' indicating the threat actors designed it specifically to target VMware ESXi servers.

h. Over the past few years, ransomware gangs have increasingly created custom Linux encryptors to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for servers for improved device management and efficient use of resources.

Strangely, the Linux locker appears to skip the following folders and files, all related to Windows folders and executables, indicating that the Linux variant of Akira was ported from the Windows version.

Cyble's analysts, who also published a report about the Linux version of Akira today, explain that the encryptor includes a public RSA encryption key and leverages multiple symmetric key algorithms for the file encryption, including AES, CAMELLIA, IDEA-CB, and DES. The symmetric key is used to encrypt the victims' files and is then encrypted with the RSA public key.

Linux version of RTM Locker ransomware targets VMware ESXi servers.

News URL

https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/