Akira’s MOTHER Program Now Cross-Platform, Threatened on Windows and Linux

The Akira group, known for its Monitoring Program, has expanded its activities to target Linux platforms. They have now added the extension “.Akira” to each encrypted file in their attacks.

Operating since March 2023, the AKIRA ENGINE aims to target various industries including education, banking, financial institutions and insurance (BFSI), production, and professional services. According to data by cable, the group has already compromised 46 victims, with the majority located in the USA.

In the latest attack discovered, the group used a malicious 64-bit executable ELF file for Linux. In order to activate the file, specific parameters needed to be specified.

Once activated, Akira loads a predetermined Open RSA key to encrypt files in the system. It then loads a list of predetermined file extensions that will be encrypted.

Akira employs AES, Camellia, IDEA-CB, and DES algorithms for file encryption. If a file is found with the specified extension, Akira encrypts it and leaves a ransom note on the infected machine.

Akira combines Aes and RSA encryption methods to make victim files inaccessible. Additionally, it removes shadow copies of files to prevent file restoration through other means.

The Akira group emerged earlier this year and is known for its customized approach to determining ransom amounts. They analyze the size and profitability of targeted companies and may even provide discounts based on circumstances.

Attackers infect targeted computers through phishing emails, malicious advertisements, and software vulnerabilities. Once infected, the program encrypts the files on the device, adds the “.Akira” extension, and then displays a ransom note on the desktop with instructions for payment.

The South African Bank of Development (DBSA), which invests in infrastructure and educational projects in South Africa, recently fell victim to an Akira attack. However, the Akira hackers denied any involvement in this particular attack, claiming that the bank’s systems were infected by an unknown attacker who used the Akira program without permission. The group offered assistance to the bank in restoring its systems and data and assured that the stolen data would not be made public.

/Reports, release notes, official announcements.