Akira _v2

Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akira _v2 is designed to target VMware ESXi servers and includes a new command-line argument set and other expanded capabilities.^[1]^[2]^[3]

ID: S1194

ⓘ

Type: MALWARE

Contributors: Jiraput Thamsongkrah

Version: 1.0

Created: 09 January 2025

Last Modified: 11 March 2025

Version Permalink

Live Version

Techniques Used

Domain	ID	Name	Use
Enterprise	T1543	Create or Modify System Process	Akira _v2 can create a child process for encryption.^[1]
Enterprise	T1486	Data Encrypted for Impact	The Akira _v2 encryptor targets the `/vmfs/volumes/` path by default and can use the rust-crypto 0.2.36 library crate for the encryption processes.^[2]^[3]
Enterprise	T1480	Execution Guardrails	Akira _v2 will fail to execute if the targeted `/vmfs/volumes/` path does not exist or is not defined.^[2]
Enterprise	T1083	File and Directory Discovery	Akira _v2 can target specific files and folders for encryption.^[1]^[2]^[3]
Enterprise	T1654	Log Enumeration	Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems.^[2]^[3]
Enterprise	T1489	Service Stop	Akira _v2 can stop running virtual machines.^[1]^[2]^[3]

Groups That Use This Software

ID	Name	References
G1024	Akira	^[1]^[2]^[3]

References

CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.

Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.

Akira _v2

Enterprise Layer

Techniques Used

Groups That Use This Software

References