Reportseverity: High2023-04-01
Akira deploys Linux variant targeting VMware ESXi
published by CISA
Actor
Ransomware-as-a-service operation active since March 2023, characterized by an unusually retro 1980s-terminal-styled leak site. CISA estimated $42M+ in extracted ransoms across 250+ organizations wit…
Summary
Within a month of emergence, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines, allowing the operation to encrypt entire virtualisation estates from a single foothold. The pivot to ESXi is documented in the joint FBI/CISA #StopRansomware advisory AA24-109A.
Tags
ransomwareesxilinux
Primary source
cisa.govOther Akira events
- 2025-11-13Updated joint advisory: Akira tied to ~$244M in proceeds, now hitting Nutanix AHV
- 2024-04-18FBI, CISA, Europol, NCSC-NL issue joint #StopRansomware advisory on Akira
- 2023-08-01Akira begins deploying Rust-based 'Megazord' encryptor
- 2023-03-01Akira ransomware operation emerges, targeting Windows environments