Akira takes in $42 million in ransom payments, now targets Linux servers

The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States.

The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.

CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.

Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.

On Jan. 22, SC Media reported that the Akira ransomware group has proven to be a significant threat to small- and medium-sized businesses — especially SMBs in Europe, North America and Australia. The group has notably attacked the government sector.

Why attackers now target Linux

Targeting Linux systems for ransomware attacks has become popular because Linux has become the operating system of choice for many server functions and now that it's ubiquitous, attackers can maximize their chances of getting paid a ransom, explained Jason Soroko, senior vice president of product at Sectigo. 

“Credential harvesting seems to be playing a key role for the attackers — therefore, system administrators need to focus their attention on this type of social engineering attack,” said Soroko.

Patrick Tiquet, vice president of security and architecture at Keeper Security, said that ransomware attacks historically targeted Windows systems because of their widespread use in corporate networks. However, Tiquet added that organizations have increasingly been adopting Linux infrastructure — particularly in critical sectors like finance, healthcare and government — and we’re seeing threat actors adapt their tactics to capitalize on this trend.

“Linux servers often host critical applications and data, making them attractive targets for extortion,” said Tiquet. “Additionally, the open-source nature of Linux lets threat actors analyze and exploit vulnerabilities more easily, potentially leading to larger-scale attacks with greater impact. It’s critical for organizations to implement robust cybersecurity measures, including timely patching, network segmentation and comprehensive backup strategies, to mitigate the risk posed by ransomware threats like Akira.”