Full Report
Executive Summary Introduction Earlier this year, Talos published an update on the ongoing evolution of Akira ransomware-as-a-service (RaaS) that has become one of the more prominent players in the current ransomware landscape. According to this update, for a while in early 2024, Akira affiliates experimented with promoting a new cross-platform variant of the ransomware called […] The post Inside Akira Ransomware’s Rust Experiment appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: Akira Ransomware (Rust Version / v2)
## Overview
Akira ransomware, specifically a newer cross-platform variant written in the Rust programming language (referred to as "Akira v2"), which was observed experimenting in early 2024. This variant is specifically engineered to target and encrypt data on ESXi bare metal hypervisor servers. The analysis focuses heavily on the challenges of reverse-engineering Rust binaries compiled in Release mode.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: ESXi servers (implied cross-platform capability due to Rust)
- Capabilities: File encryption, targeting hypervisors/VMs, command-line interface (CLI) for operation control.
- First Seen: Early 2024 (experimentation phase noted).
## MITRE ATT&CK Mapping
Since the article focuses on the internal structure and compilation of the malware rather than its operational steps, direct, specific technique mappings are limited based solely on the provided text. However, standard ransomware capabilities map to:
- **TA0011 - Impact**
- T1486 - Data Encrypted for Impact
- T1490 - Inhibit System Recovery (Implied, but not detailed)
## Functionality
### Core Capabilities
- **Argument Parsing:** Utilizes a full-fledged Command Line Interface (CLI) where command-line arguments control program behavior.
- **File Collection:** The `default_action` function is responsible for collecting targeted files.
- **Encryption Workflow:** The control flow proceeds from `Main` $\rightarrow$ `default_action` $\rightarrow$ `lock` $\rightarrow$ `lock_closure`, where `lock` wraps the execution threads that carry out the encryption logic within `lock_closure`.
- **Default Behavior:** The default action, absent specific arguments, is file destruction and encryption.
### Advanced Features
- **Rust Implementation:** Written in Rust, leveraging Rust idioms and compiler strategies, making reverse engineering more challenging than typical binaries due to Release-mode optimizations and the nature of the language constructs translating to assembly.
- **ESXi Targeting:** Specifically designed to target bare metal ESXi hypervisor servers.
- **Compiler Optimization Analysis:** The analysis delves into how Release mode compilation (indicated by lack of source lines in debug info and specific observable optimizations) affects the binary's analysis footprint.
## Indicators of Compromise
Based on the summary, specific IOCs (Hashes, IPs) were not extracted, but the analysis provides guidance on where to look:
- File Hashes: N/A (Requires further analysis of the specific binary being reported on)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution path sequence: `Main` $\rightarrow$ `default_action` $\rightarrow$ `lock` $\rightarrow$ `lock_closure`. Observation of Rust standard library and third-party crate usage in memory/process space.
## Associated Threat Actors
- Akira Ransomware-as-a-Service (RaaS) affiliates.
## Detection Methods
The article focuses on overcoming static analysis challenges, suggesting detections should focus on:
- **Static/Binary Analysis:** Identifying unusual compiler artifacts consistent with Rust binaries compiled in Release mode (e.g., lack of source lines in debug information when using tools like `objdump --source`).
- **Behavioral Detection:** Monitoring for processes that execute the specific function call chain related to file locking/encryption, especially on ESXi hosts.
## Mitigation Strategies
- **Targeted Hardening:** Particular focus on hardening ESXi hypervisor servers against exploitation.
- **Binary Analysis Preparedness:** Understanding the assembly output generated by Rust compilers to better reverse-engineer and detect this family.
## Related Tools/Techniques
- Previous iterations of Akira Ransomware.
- General challenges associated with analyzing Rust binaries compiled in Release mode (as discussed in Check Point's prior work, "Rust Binary Analysis Feature by Feature").