Linux version of Akira ransomware targets VMware ESXi servers. (4th July, 2023)

Ref# AL2023_54 | Date: Jul 4th 2023


The ransomware group known as Akira has been carrying out double-extortion attacks against companies globally, utilizing a Linux encryptor to encrypt VMware ESXi virtual machines. Initially observed in March 2023, Akira focused on targeting Windows systems across various industries, including education, finance, real estate, manufacturing, and consulting.

Like other ransomware groups targeting enterprises, the threat actors behind Akira use double extortion. They not only encrypt files on compromised networks but also exfiltrate sensitive data, enabling them to extort victims data and demanding substantial ransom payments, often reaching millions of dollars. Since its inception, the Akira ransomware operation has already victimized more than 30 organizations in the United States alone. Notably, there have been two distinct surges in ID Ransomware submissions, indicating heightened activity at the end of May and the present time.


The Linux variant of Akira ransomware was first discovered by malware analyst rivitna, who recently shared a sample of the new encryptor on Virus Total. Upon analyzing the Linux encryptor, Bleeping Computer found that it carries a project name of Esxi_Build_Esxi6, indicating that the threat actors specifically developed it to target VMware ESXi servers.

For instance, one of the source code files associated with the project is located at /mnt/d/vcprojects/Esxi_Build_Esxi6/argh.h. In recent years, ransomware groups have increasingly created customized Linux encryptors to target VMware ESXi servers. This is driven by the enterprise”s adoption of virtual machines for server infrastructure, which offers improved device management and resource efficiency.

By focusing on ESXi servers, threat actors can encrypt numerous servers that operate as virtual machines in a single operation of the ransomware encryptor. However, unlike other VMware ESXi encryptors studied by Bleeping Computer, Akira”s encryptors lack several advanced features, such as automatically shutting down virtual machines before initiating file encryption using the esxcli command.

Nonetheless, the binary does support a few command-line arguments that provide attackers with customization options for their attacks:

  • -p or –encryption_path: Specifies the targeted file or folder paths for encryption.
  • -s or –share_file: Defines the targeted network drive path for encryption.
  • -n or –encryption_percent: Determines the percentage of encryption applied to each file.
  • –fork: Enables the creation of a child process for encryption.

Of particular significance is the -n parameter, which allows attackers to define the encryption level for each file. Lower settings result in faster encryption but increase the likelihood of victims recovering their original files without paying the ransom.

When encrypting files, the Linux Akira encryptor will target the following extensions:

.4dd, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wa, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .temx, .tmd, .tps, .trc, .trm, .udb, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .lut, .maw, .mdn, .mdt, .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvo, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso

According to Cyble”s analysts, who recently released a report on the Linux version of Akira, the encryptor utilizes a public RSA encryption key and employs various symmetric key algorithms for file encryption. These symmetric key algorithms include AES, CAMELLIA, IDEA-CB, and DES.

In the encryption process, the symmetric key is used to encrypt the files of the victims. Subsequently, the symmetric key itself is encrypted using the RSA public key. This methodology ensures that the decryption key remains inaccessible and therefore files can only be unlocked by the threat actors who possess the RSA private decryption key. After encrypting the files, Akira renames them with the .akira extension, and in each folder of the compromised device, a ransom note named akira_readme.txt is created, serving as a hardcoded message from the attackers.

The expanding number of victims announced by the Akira group reflects its widening scope of targets, intensifying the threat to organizations worldwide. Regrettably, the adoption of Linux support by ransomware groups is a growing trend, with many utilizing readily available tools to accomplish it. This approach provides an easy and foolproof method for these groups to maximize their profits. Other ransomware operations that employ Linux ransomware encryptors, primarily targeting VMware ESXi, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.


  1. Perform backups for Vdisks for cases where a ransomware attack is successful. Having available backups enables quick recovery and be able to segment and terminate the affected device off the network before the ransomware can spread.
  1. To enhance security and prevent ransomware attacks, it is recommended to segregate management applications such as VMWare ESXi, Hyper-V, and other virtualization environments from other IT systems. This can be achieved by placing these management systems on a separate VLAN (Virtual Local Area Network) with restricted access. By utilizing VLANs, network traffic can be controlled, allowing administrators to determine the permitted entry and exit points. This control helps in limiting the reach of malware and prevents it from spreading across the network.

  1. To enhance the security of VMware ESXi management applications, it is advised not to attach them to Active Directory (AD). While AD offers convenience in terms of updates and security policies, it can also be leveraged by ransomware to locate virtualization environments on the network. By keeping VMware ESXi management applications separate from AD, ransomware faces a greater challenge in identifying these environments. This additional hurdle provides network operators and systems administrators with more time to detect and mitigate potential threats.

  1. Use strong, complex passwords and employ a change password policy.

  1. Update systems, products and devices to their latest stable versions.

PDF Download: Linux Version of Akira Ransomware targets VMware ESXi server.pdf