{ "id": "3bb5bfbd-f8f6-4eab-ada9-cdfb618292bc", "created_at": "2026-04-06T01:30:25.285874Z", "updated_at": "2026-04-10T13:11:46.531669Z", "deleted_at": null, "sha1_hash": "3dec84547c75d9515d1377873c5199aef732be27", "title": "the attacking abilities and strategies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 604957, "plain_text": "the attacking abilities and strategies\r\nArchived: 2026-04-06 00:08:01 UTC\r\nSummary\r\nThis is the head part of the Akira ransom note, and it claims:\r\nWhatever who you are and what your title is if you're reading this it means the internal infrastructure of your\r\ncompany is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are\r\ncompletely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.\r\nWell, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're\r\nfully aware of what damage we caused by locking your internal sources.\r\nAs you know, recently ransomware has become so popular, and threat actors further expanded the attack surface to\r\nLinux. In 2023, I had collected many ransomwares that run on Linux and posted them to X (formerly Twitter), and\r\nlast week I noted Akira ransom gang. I am very curious about what happened one year later.\r\nTechnical analysis\r\nBasic info\r\nThe sample hashs:\r\nmd5 6B03B31C8CBD4A0A5829B63D16936ED3\r\nSha1 a90790c35bea365befd3af55cbedfffd2cc4481b\r\nOperation system: Linux(ABI: 3.2.0)[AMD64, 64-bit, EXEC]\r\nPacker: no\r\nMessages on the screen and imply\r\nThe Akira uses /proc/stat to get system-wide statistics about CPU usage, system activity, and process counts. It\r\nalso checks the number of CPUs with /proc/cpuinfo, and it will print out the tip messages on the screen which\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 1 of 7\n\nincluding detected number of CPU, “no path to encrypt” if without any path parameter and the time It took, such\r\nas:\r\nFig.1-message without running\r\nFrom the message, it seems that it is helpful for the ransomware group to debug and expand new abilities. Of\r\ncourse, it also implies they are developing\r\nStatic analysis\r\nSupporting parameters and abilities\r\nLet’s try a static analysis on IDA and look for some strings. The Akira ransomware supports many parameters to\r\nrun, but it does not support command-line parameter help like “-h or /? or –help” to display them. Here they are:\r\n1.       –p(--encryption_path) to set the path of directory or file, e.g, -p=/root/abc .\r\n2.       –s(--share_file) to encrypt share file through network drive path.\r\n3.       –n(--encryption_percent) to encrypt with percent, such as to set –n=5, -n=10 with the character “%”.\r\n4.       –e(--exclude) to use “regular” expression to skip all specific files and not to encrypt, e.g. –e=”pwn*.*”\r\n5.       –fork to create a child process for encryption in the background without any message output\r\nFig.2-Supporting parameters\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 2 of 7\n\nFrom the design, the –p parameter is very convenient to encrypt the specified directory and files; the –s parameter\r\nis to further expand the attack surface with the network drive path; and the –n parameter is to make faster\r\nencryption, especially if the size of encrypted files is too large. And combining the following will mention the lock\r\nstrategy and its multiple LWP techniques; all in all, it is a very convenient, faster, and more powerful design.\r\nRansom note and contact strategy\r\nAs you know, the ransomware named Akira is the cause of the file extension, and it will create a text file\r\n“akira_readme.txt,” which we call a ransom note, including the common intel of threat from the attacker or the\r\nvictim's information, such as an anonymous email address, onion address, Bitcoin address, and so on. At this\r\nransomware as follows.\r\n1.       Publish victims address :\r\nhxxp[:]//akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion\r\n2.       Onion address for contact:\r\nhxxps[:]//akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion\r\n3.       Unique code for logging to chat: xxxx-xx-xxx-xxxx\r\n4.       Bitcoin address and Wallet: In the ransom note, it does not claim how many bitcoins to pay, and without\r\nexposing any wallet address provided by the Akira gang, the threat actors\r\nFrom the two onion addresses we have found, which also include the ransom group name strings “Akira.”.\r\nAnd let’s have a look at the ransom note as follows.\r\nFig.3-ransom note\r\nLock strategy for new extensions\r\nIncluding the below important different types, such as database files, virtual machine files, disk images, and\r\nbinary data formats, here they are as follows:\r\nDatabase Files\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 3 of 7\n\nMicrosoft Access: .accdb, .accdc, .accde, .mdb\r\nSQL-based Databases: .db, .db3, .sqlite, .sqlite3, .sdf, .mdf, .ndf\r\ndBase \u0026 FoxPro: .dbf, .dbx, .fpt\r\nOracle Databases: .ora, .dbs, .dbc\r\nFirebird \u0026 InterBase: .fdb, .gdb\r\nIBM DB2: .db2\r\nMySQL/MariaDB: .myd, .frm\r\nLotus Notes Database: .nsf, .ns2, .ns3, .ns4\r\nVirtual Machine \u0026 Disk Image Files\r\n        Virtual Machine Files:\r\nVMware: .vmdk, .vmem, .vmsn, .vmsd, .nvram, .vmx\r\nVirtualBox: .vdi\r\nMicrosoft Hyper-V: .vhd, .vhdx, .avhd, .vmrs, .avdx, .vmcx\r\nParallels: .pvm\r\nDisk Image Files:\r\nISO Image: .iso\r\nQEMU: .qcow2, .raw\r\nVirtual Server Files: .vsv\r\nBackup \u0026 Log Files\r\n      Backup Files: .bak, .ndf, .sdf, .trc, .log\r\nCheckpoints \u0026 Snapshots: .ckp, .snap\r\nError \u0026 Transaction Logs: .trm, .rpd, .sbf\r\nMiscellaneous Data Files\r\n     Metadata \u0026 Configurations: .dad, .daschema, .dadiagrams, .pdm\r\nEncryption \u0026 Key Storage: .kdb, .lgc\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 4 of 7\n\nUser \u0026 Profile Data: .usr, .hdb, .epim\r\nBinary \u0026 Raw Data Files\r\n    .bin, .raw, .subvo, .gcow2\r\nDynamic analysis\r\nLWPs technique and debug skill\r\nAkira is creating multiple Lightweight Processes (LWPs), which are likely threads. However, they seem to exit\r\nquickly when the numbers of the files are small. This makes debugging difficult.\r\nFig.4-LWPs\r\nTo overcome the above problem, just set encryption like this: –p=/root, which will encrypt the whole root\r\ndirectory, it is so big and time-consuming. First press Ctrl+C to make an interrupt, and then using info threads to\r\nget how many threads it created and choose one with thread number and trying backtrace to debug.\r\nFig.5-get threads and choose one thread to debug\r\nEncryption algorithm strategy\r\non this variant, the Akira combing standard AES with RSA public-key cryptosystem as encryption strategy, each\r\nfile encrypted was appending 512 bytes random data to the end, as you know, they are used to decrypt by RSA\r\nprivate key. It does encryption with the Nettle library. Let’s take one of them showing.\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 5 of 7\n\nFig.6- AES+RSA ( Nettle cryptographic library )\r\nFig.7-512 bytes of random data to the end of the encrypted file\r\nConclusion\r\nFrom the above analysis, it appears that Akira tried to use a simple, convenient, faster, and more powerful strategy\r\nto expand their attacking campaign as threat actors, and they consciously avoided exposing personal information\r\nlike wallet addresses, which means that they are an experienced ransom gang, a more hidden threat around the\r\ndigital world; let’s pay close attention.\r\nIoCs\r\nFiles:\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 6 of 7\n\nmd5 6B03B31C8CBD4A0A5829B63D16936ED3\r\nSha1 a90790c35bea365befd3af55cbedfffd2cc4481b\r\nurls:\r\nhxxps[:]//akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion\r\nhxxps[:]//akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion\r\nAkira Analysis Briefing\r\nEnd.\r\n──────────────────────\r\nSeeker(李标明) · @clibm079    \r\nChina · Independent Malware Analyst \u0026 Researcher \r\nLabels: #LinuxSecurity, #MalwareAnalysis, #ransomware, #ThreatIntel\r\nSource: https://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nhttps://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html" ], "report_names": [ "akira-ransomware-expands-to-linux.html" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439025, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3dec84547c75d9515d1377873c5199aef732be27.pdf", "text": "https://archive.orkl.eu/3dec84547c75d9515d1377873c5199aef732be27.txt", "img": "https://archive.orkl.eu/3dec84547c75d9515d1377873c5199aef732be27.jpg" } }