Cyber Security Threat Summary:
Operators behind the Akira Ransomware have released a new Linux variant that is capable of encrypting VMware ESXi virtual machines. The Linux variant was discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week. According to analysts, Linux encryptor shows it has a project name of 'Esxi_Build_Esxi6,’ indicating that is specially designed to target VMware ESXi servers. When comparing the new variant to other VMware ESXi encryptors, Akira’s encryptor does not contain many advanced features, such as the automatic shutting down of virtual machines before encrypting files using the esxcli command. Take a closer examination, the sample contains a few command line arguments that enable an attacker to customize their attacks:

• p --encryption_path (targeted file/folder paths)
• s --share_file (targeted network drive path)
• n --encryption_percent (percentage of encryption)
• -fork (create a child process for encryption)

“The -n parameter is particularly notable as it allows attackers to define how much data is encrypted on each file. The lower that setting, the speedier the encryption, but the more likely that victims will be able to recover their original files without paying a ransom” (Bleeping Computer, 2023).

Security Officer Comments:
Akira is a ransomware operation that first came into the spotlight in March 2023, targeting several organizations in the education, finance, real estate, manufacturing, and consulting sectors. Since March, the group has claimed over 30 victims in the United States alone. Like any other ransomware group, Akira engages in double extortion attacks where it will threaten to publish victims’ data on its public data leak site if a ransom is not paid.

The targeting of Linux systems is not something new. Prior to Akira, several ransomware gangs have released their own Linux variants including Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

“Over the past few years, ransomware gangs have increasingly created custom Linux encryptors to encrypt VMware ESXi servers as the enterprise moved to use virtual machines for servers for improved device management and efficient use of resources. By targeting ESXi servers, a threat actor can encrypt many servers running as virtual machines in a single run of the ransomware encryptor” (Bleeping Computer, 2023).

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/