Inside Akira Ransomware's Rust Experiment

Dec. 4, 2024, 9:21 a.m.

Description

Check Point Research analyzed the Rust version of Akira ransomware that targeted ESXi servers in early 2024. The malware's complex assembly is attributed to Rust idioms, boilerplate code, and compiler strategies. The analysis reveals the ransomware's use of the seahorse CLI framework, indicatif library for progress reporting, and a hybrid encryption approach using curve25519 and SOSEMANUK. The malware's default behavior targets ESXi VMs, but it can also function as general-purpose Linux ransomware. The study highlights the challenges in reverse-engineering Rust binaries due to aggressive inlining and optimization, emphasizing the need for advanced tooling to identify spliced inline code.

External References

https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
https://otx.alienvault.com/pulse/674f894aee490372b19356c7
Tags
ransomware
rust
akira
2024-12-03

Date

  • Created: Dec. 3, 2024, 10:42 p.m.
  • Published: Dec. 3, 2024, 10:42 p.m.
  • Modified: Dec. 4, 2024, 9:21 a.m.

Attack Patterns

  • Akira
  • Akira
  • T1490
  • T1012
  • T1573
  • T1489
  • T1486
  • T1070
  • T1129
  • T1106
  • T1082
  • T1057
  • T1083
  • T1569
  • T1140
  • T1027
  • T1553
  • T1562
  • T1059

Additional Informations

  • Technology