Akira’s Attack on VMware ESXi Servers: Ransomware Enters a New Phase

The Akira ransomware group, which has been actively operating in the Ransomware-as-a-Service (RaaS) space since March 2023, recently introduced a new Linux variant targeting VMware ESXi servers. This development poses a significant cybersecurity threat.

Initially focused on Windows systems, Akira began targeting VMware ESXi servers in April 2023 with a specially developed Linux encryptor. This strategic pivot reflects a growing trend among ransomware groups to target virtualized environments, which are a critical component of enterprise infrastructure.

By compromising the ESXi hypervisor, attackers can encrypt multiple virtual machines (VMs) simultaneously, greatly amplifying the impact of the attack.

The Akira v2 program for Linux is written in the Rust programming language, which is known for its high efficiency and security features. The use of Rust complicates ransomware analysis and detection. Akira v2 appends the “.akiranew” extension to encrypted files and employs a custom encryption process targeting specific file types.

The program is capable of encrypting critical system files, including those with .edb (Exchange database) and .vhd (virtual hard disk) extensions. This can lead to severe consequences for organizations, disrupting email services and virtualized environments.

The Akira ransomware uses a sophisticated hybrid encryption scheme that combines the ChaCha20 stream cipher with RSA public-key cryptosystem encryption. This approach ensures the efficient encryption of large data volumes while maintaining secure key exchange.

Akira is equipped with functionalities specifically designed to exploit vulnerabilities in VMware environments. For instance:

• It exploits the CVE-2024-37085 vulnerability, which allows attackers to bypass authentication in VMware ESXi hypervisors and gain administrative privileges through misconfigurations in Active Directory.
• It uses commands such as esxcli system syslog config set –logdir=/tmp to disable logging and esxcli system coredump file set –unconfigure to restrict forensic analysis.
• Unlike some other ransomware, Akira does not automatically shut down virtual machines. However, it allows attackers to manually stop active VMs using commands like stopvm for maximum disruption.

According to reports, Akira’s victims include organizations in the manufacturing, education, finance, and critical infrastructure sectors. The United States was the worst-hit country, followed by Canada, the United Kingdom, and Germany.

The group has targeted over 350 victims globally and, as of April 2024, has extorted approximately $42 million in ransom payments.

Akira employs a double extortion strategy: it exfiltrates sensitive data before encryption. Victims are forced to pay large ransoms under the threat of having their data publicly exposed on Akira’s dedicated site on the Tor network.

Organizations can protect themselves from Akira ransomware attacks by implementing the following measures:

• Patch Management: Promptly apply security updates, particularly for vulnerabilities like CVE-2024-37085.
• Network Segmentation: Isolate critical systems from the general network.
• Endpoint Detection and Response (EDR): Deploy solutions capable of detecting ransomware-related behaviors.
• Backup Strategies: Maintain offline or cloud backups and regularly test their integrity and recovery speed.
• Multi-Factor Authentication (MFA): Implement MFA for all remote access points.

The new Linux variant of Akira highlights the increasing sophistication of cybersecurity threats targeting virtualized environments, particularly VMware ESXi servers. With its ability to exploit vulnerabilities and execute tailored attacks, Akira poses a major threat to organizations worldwide.