The Akira ransomware group has reportedly extorted an estimated $42 million by breaching the networks of more than 250 victims as of January 1, 2024. The group, which initially targeted Windows systems, has now shifted its focus to Linux servers, posing a significant threat to businesses and critical infrastructure entities across North America, Europe, and Australia.

According to cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3), the Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines in April 2023. The group uses a variety of methods to gain initial access to target networks, including exploiting known flaws in Cisco appliances, spear-phishing, and the use of Remote Desktop Protocol (RDP).

The Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, the ransomware binary has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system. Blockchain and source code data suggest that the Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang.

Interestingly, the Akira ransomware group's mutation to target Linux enterprise environments follows similar moves by other established ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker. The disclosure comes as Trend Micro revealed that the sweeping law enforcement takedown of the prolific LockBit gang earlier this February has had a significant operational and reputational impact on the group's ability to bounce back.

The development also follows the Agenda ransomware group's use of an updated Rust variant to infect VMWare vCenter and ESXi servers through Remote Monitoring and Management (RMM) tools and Cobalt Strike. The cybersecurity company stated that the Agenda ransomware's ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems.

As a fresh crop of ransomware actors continues to energize the threat landscape, it's also becoming clearer that "crude, cheap ransomware" sold on the cybercrime underground is being put to use in real-world attacks. This allows lower-tier individual threat actors to generate significant profit without having to be a part of a well-organized group.