{
	"id": "f78309a6-aca1-4868-964c-9e9249d82f64",
	"created_at": "2026-04-06T00:10:47.968255Z",
	"updated_at": "2026-04-10T03:30:32.886034Z",
	"deleted_at": null,
	"sha1_hash": "598394e7ec14e94b32a77428d85abfd9926cf8f0",
	"title": "Akira’s Play with Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 526441,
	"plain_text": "Akira’s Play with Linux\r\nPublished: 2023-07-25 · Archived: 2026-04-05 18:29:16 UTC\r\nThe proliferation of Ransomware-as-a-Service (Raas) and the widespread availability of leaked source code from\r\nprominent ransomware strains have elevated ransomware attacks to a significant concern for individuals and\r\norganizations alike. As more threat actors adopt this modus operandi, it becomes imperative to acquire a\r\ncomprehensive understanding of the Tactics, Techniques, and Procedures (TTPs) employed by these ransomware\r\naffiliates.\r\nRecently we noticed that threat actors have been working on cross-platform malware for a wider attack surface.\r\nOne such malware was a new ransomware variant named Akira that has emerged, making waves in the\r\ncybersecurity landscape from late March 2023. Notably, the ransomware group operates a Tor website imbued\r\nwith a retro-themed aesthetic, where they publicly disclose pilfered data as a consequence of non-compliance with\r\ntheir ransom demands. Moreover, their website offers a chat feature, facilitating communication between victims\r\nand the perpetrators, utilizing the unique ID provided within the ransom note. Through this blog post, we will\r\ndelve into the recent Akira ransomware Linux variant, unraveling its interconnectedness with the Windows variant\r\nof Akira ransomware and the Conti ransomware strain.\r\nThe Tor site of Akira ransomware is as shown below.\r\nFigure 1: Tor site of Akira ransomware\r\nBinary analysis\r\nLet’s start with the header of the file. This file is 64 bit. \r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 1 of 6\n\nFigure 2: Binary Header\r\nOn analyzing the binary, we can see that this ransomware has the following command line arguments.\r\nFigure 3: Command line arguments\r\nArguments Description\r\n-p Encryption Path used to only encrypt files in the given path\r\n-s Path to file containing list of shares to include in the encryption \r\n-n Encryption percentage on how much content of the files needs to be encrypted\r\n-fork To create new process or child process\r\nThe ransomware integrates functionalities related to several symmetric key algorithms, such as AES,\r\nCAMELLIA, IDEA, and DES. Upon encountering a file possessing an extension from the aforementioned list, the\r\nransomware proceeds with the encryption process of said file.\r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 2 of 6\n\nFigure 4: Algorithms referred in the binary\r\nWe found this ransomware is also using the CHACHA 20 encryption algorithm.\r\nFigure 5: CHACHA_20\r\nIf the directory and file shown in Figure 6 are present in the system, it excludes those from the encryption.\r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 3 of 6\n\nFigure 6: Exclusion list\r\nIt then encrypts and adds the extension .akira for all the files.\r\nDuring our analysis, we observed that the examined samples exhibited distinctive characteristics, specifically, a\r\ndistinct Public RSA key and a Unique ID embedded in their Load section. These components were deliberately\r\nincorporated by the attacker to enable communication between the victim and the ransomware group. \r\nFigure 7: Comparison of public key\r\nIt appears that the ransomware operator dynamically constructs the ransomware with a fresh public RSA key for\r\neach target, along with a corresponding Unique ID appended in the ransomware note. The purpose of this Unique\r\nID is to facilitate the attacker in determining the specific ransomware build that infected the victim, thereby\r\nidentifying the corresponding private key required for decrypting the compromised files.\r\nFigure 8: Unique ID for communication\r\nFigure 9 lists around 190  file extensions that this binary encrypts.\r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 4 of 6\n\nFigure 9: Files extension to be encrypted\r\nFigure 10: Ransom note\r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 5 of 6\n\nWe at K7 Labs provide detection for Akira ransomware and all the latest threats. Users are advised to use a\r\nreliable security product such as “K7 On-Premises Enterprise Endpoint Security” and keep it up-to-date to\r\nsafeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nHash Detection Name\r\n177ACD248FC715A8B5E443BE38D3B204 Trojan ( 035562be1 )\r\n302f76897e4e5c8c98a52a38c4c98443 Trojan ( 035562be1 )\r\nSource: https://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nhttps://labs.k7computing.com/index.php/akiras-play-with-linux/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/akiras-play-with-linux/"
	],
	"report_names": [
		"akiras-play-with-linux"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/598394e7ec14e94b32a77428d85abfd9926cf8f0.pdf",
		"text": "https://archive.orkl.eu/598394e7ec14e94b32a77428d85abfd9926cf8f0.txt",
		"img": "https://archive.orkl.eu/598394e7ec14e94b32a77428d85abfd9926cf8f0.jpg"
	}
}