Akira Linux Blog

Akira Ransomware Extends Reach to Linux Platform

Threat Actors Target Multiple Sectors in Wide-Ranging Attacks

Ransomware poses a significant risk to cybersecurity and remains a highly successful form of cybercrime that presents serious challenges for organizations. It has emerged as a lucrative enterprise for cybercriminals, leading to profound implications, including financial and data losses, as well as detrimental effects on the reputation of the organizations targeted.

Cyble Research and Intelligence Labs (CRIL) have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform. CRIL came across a sophisticated Linux variant of the Akira ransomware.

Since its emergence in April 2023, Akira ransomware has already compromised 46 publicly disclosed victims, with an additional 30 victims identified since our previous blog post. The majority of these victims are located in the United States. Here is a breakdown of the countries where the victims have been identified.

Figure 1 – Geographical Distribution of Victims

The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more.

The figure below shows industries targeted by the Akira ransomware.

Figure 2 – Industries Targeted by Akira Ransomware

Technical Details

The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file with SHA256 as 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296.

Figure 3 – File Details of the Akira Ransomware Linux Executable

In order to execute the Akira executable, specific parameters need to be provided. The required parameters for running the Akira executable are as follows:

  • “-p” / “–encryption_path” – Path of files/folder to be encrypted.
  • “-s” / “–share_file” – Path of the shared network drive to be encrypted
  • “-n” / “–encryption_percent” – Percentage of the files to be encrypted.
  • “-fork” – Creating a child process for encryption.
Figure 4 – Ransomware Command Line Parameters

Upon execution, the Akira ransomware loads a pre-determined RSA public key to encrypt files in the system.

The figure below presents the hardcoded public key utilized by the Akira ransomware.

Figure 5 – Akira Ransomware Hardcoded RSA Public Key

Following the initialization of the public key, the Akira ransomware loads a list of predetermined file extensions that it intends to target and encrypt.

The figure below illustrates the file extensions that are specifically targeted by the Akira ransomware.

Figure 6 – File Extensions Targeted by the Akira Ransomware

The table provided below encompasses a comprehensive list of the file extensions targeted by Akira ransomware.


The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. When encountering a file with an extension listed in the previously mentioned extensions, the ransomware proceeds to encrypt the file.

The image below illustrates the routine specifically implemented for AES encryption within the ransomware.

Figure 7 – Akira Ransomware Routine Related to AES Encryption

Next, to successfully encrypt the files, the ransomware adds the “.akira” file extension to each compromised file and deposits a pre-defined ransom note onto the victim’s system.

The figure below displays the exact contents of the ransom note, which have been hardcoded into the ransomware.

Figure 8 – Ransom note Hardcoded into The Akira Ransomware Executable


Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms. This shift in tactics reflects a growing trend among ransomware groups, indicating an upcoming surge in attacks targeting Linux environments. The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats.

CRIL maintains vigilant monitoring of emerging ransomware campaigns to ensure our readers are well-informed, providing regular updates on our latest discoveries.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact of Akira Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 User Execution
Discovery  T1082
System Information Discovery
File and Directory Discovery
Impact T1486
Data Encrypted for Impact
Inhibit System Recovery

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
Akira Ransomware

Comments are closed.

Scroll to Top