Inside Akira Ransomware's Rust Experiment
Dec. 4, 2024, 9:21 a.m.
Description
Check Point Research analyzed the Rust version of Akira ransomware that targeted ESXi servers in early 2024. The malware's complex assembly is attributed to Rust idioms, boilerplate code, and compiler strategies. The analysis reveals the ransomware's use of the seahorse CLI framework, indicatif library for progress reporting, and a hybrid encryption approach using curve25519 and SOSEMANUK. The malware's default behavior targets ESXi VMs, but it can also function as general-purpose Linux ransomware. The study highlights the challenges in reverse-engineering Rust binaries due to aggressive inlining and optimization, emphasizing the need for advanced tooling to identify spliced inline code.
Tags
Date
- Created: Dec. 3, 2024, 10:42 p.m.
- Published: Dec. 3, 2024, 10:42 p.m.
- Modified: Dec. 4, 2024, 9:21 a.m.
Attack Patterns
- Akira
- Akira
- T1490
- T1012
- T1573
- T1489
- T1486
- T1070
- T1129
- T1106
- T1082
- T1057
- T1083
- T1569
- T1140
- T1027
- T1553
- T1562
- T1059
Additional Informations
- Technology