Akira Develops Rust-Based Ransomware to Target ESXi Servers

The Akira ransomware gang have developed a Rust variant to target VMware ESXi servers, marking a significant evolution in their technical architecture by transitioning from C++ to Rust for its new ESXi encryptor variant, which now uses the rust-crypto 0.3.26 library.  

‍

Akira operators often exploit critical vulnerabilities in popular systems like SonicWall SonicOS, Cisco VPN services, and FortiClientEMS software to gain unauthorized access.

‍

Once inside, they use advanced techniques such as PowerShell scripts for credential harvesting and WMI for deleting system shadow copies. The ransomware has expanded its attack scope, encrypting files with the “akiranew” extension and deploying the Megazord encryptor.  

‍

Their typical attack chain involves compromising VPN credentials, exploiting network appliances, and escalating privileges using tools like Veeam, Cybersecurity News reports. While primarily targeting the manufacturing and technical services sectors, Akira has maintained persistence through evasion techniques like binary padding.  

‍

Recently, the group appeared to be shifting back to their traditional C++ encryption approach for Windows and Linux environments. September 2024 samples suggest they have adopted the more efficient ChaCha8 stream cipher and streamlined their toolset.  

‍

The group continues to focus on attacking ESXi and Linux environments, allowing simultaneous encryption of multiple virtual machines and critical workloads for maximum operational impact.

‍

Takeaway: Ransomware groups have increasingly adopted Rust as a favored programming language, enabling the creation of cross-platform payloads capable of executing on both Windows and Linux systems.  

‍

Rust’s advanced evasion capabilities allow ransomware to disable security tools and bypass sandbox analysis, making it particularly dangerous.  

‍

Rust's superior memory management, performance in concurrent processing, and faster compilation times compared to C++ and Golang, also make it harder to extract decryptor keys, further complicating defensive efforts.

‍

According to the Halcyon Power Rankings: Ransomware Malicious Quartile report, Akira ransomware, which first appeared in March 2023, has rapidly become one of the most active ransomware groups in 2024.  

‍

Though some believe Akira may be linked to the Conti gang—especially following the 2022 leak of Conti’s code—no definitive connection has been confirmed. Akira’s distinctive extortion model includes a chat feature for direct negotiation with victims, sometimes revealing infection vectors to those who pay the ransom—a departure from typical ransomware behavior.

‍

Despite claims of a functional decrypter for earlier versions of Akira, it has proven largely ineffective for full data recovery. The group operates a sophisticated Ransomware-as-a-Service (RaaS) platform, written in C++, that targets both Windows and Linux systems.  

‍

Akira’s advanced techniques include exploiting VPN credentials for initial access, deleting Windows Shadow Volume Copies via PowerShell to prevent file recovery, and using legitimate Living-off-the-Land Binaries (LOLBins) and commercial tools like PCHunter64 to evade detection.

‍

In July 2023, Akira expanded its operations with a Linux variant, and by August, the group was exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to execute brute-force attacks.  

‍

Akira has also leveraged VMware ESXi vulnerabilities for lateral movement within compromised networks. Their double extortion strategy involves not only encrypting data but also exfiltrating it, threatening to leak or sell the information if the ransom is not paid.

‍

In the first half of 2024, Akira’s attacks intensified in Latin America, particularly targeting the healthcare sector, although their reach extended to industries like education, finance, and manufacturing.  

‍

This broad approach indicates their desire to maximize impact across multiple sectors. With over 300 victims and more than $50 million in ransom collected, Akira has become a dominant player in the ransomware landscape.  

‍

Ransom demands typically range from $200,000 to $4 million, with notable victims including Nissan, the Royal College of Physicians and Surgeons, and more.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.