FlagThis

Akira ransomware has targeted a victim by encrypting the virtual disks (.vmdk files) of an ESXi hypervisor. This attack demonstrates the growing threat of ransomware targeting critical infrastructure elements. To recover the victim’s data, the incident response team used a patched version of vmfs-tools to mount the ESXi datastore, which was partially encrypted. This approach highlights the need for organizations to have comprehensive security measures in place, including regular backups and the ability to recover from attacks targeting critical systems.

Akira ransomware, a prominent threat actor, is continuously evolving its tactics and targeting vulnerable systems, particularly network appliances. Their latest ransomware encryptor targets both Windows and Linux hosts. Akira affiliates have been exploiting vulnerabilities in SonicWall SonicOS, Cisco ASA/FTD, and FortiClientEMS for initial access, followed by credential harvesting, privilege escalation, and lateral movement. The group’s recent shift back to encryption methods, coupled with data theft extortion, emphasizes their focus on stability and efficiency in affiliate operations.