| Category | Details |
|---|---|
| Threat Actors | Akira ransomware group, affiliates operating ransomware-as-a-service (RaaS) targeting ESXi servers. |
| Campaign Overview | Early 2024 campaign experimenting with Akira v2, a Rust-based ransomware targeting ESXi servers. Analyzed for its control flow, design choices, and unique characteristics. |
| Target Regions/Victims | Organizations using ESXi bare-metal hypervisor servers, Linux environments targeted as a secondary feature. |
| Methodology | Multithreaded design using Rust, command-line interface for operator control, in-depth use of Rust libraries like indicatif and seahorse for functionality and visual feedback. |
| Product Targeted | ESXi servers, Linux systems (with /vmfs/volumes as the default directory for targeting), general-purpose file encryption capabilities. |
| Malware Reference | Akira ransomware v2, SOSEMANUK stream cipher, curve25519 cryptographic library for asymmetric encryption. |
| Tools Used | Rust language features and libraries (indicatif, seahorse), compiled in Release mode, leveraging third-party crates for cryptography and control flow. |
| Vulnerabilities Exploited | Not directly exploiting vulnerabilities but instead focusing on file encryption and VM targeting using built-in tools like vim-cmd for ESXi VMs. |
| TTPs | Hybrid encryption with asymmetric and symmetric ciphers, use of Rust’s multithreading and CLI capabilities, in-depth analysis evasion through aggressive inlining of library functions. |
| Attribution | Akira ransomware group and affiliates utilizing Rust for a cross-platform and efficient ransomware deployment. |
| Recommendations | - Update and secure ESXi environments. - Monitor for suspicious processes and CLI usage. - Employ strong encryption for backups. - Implement proactive defenses against RaaS attacks. |
| Source | Check Point Research analysis of Akira ransomware, 2024. |
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply