Akira
Akira is a ransomware-as-a-service operation active since March 2023. It is widely reported as a major and highly active ransomware brand, including being among the most prevalent families in 2024 and 2025. The group uses double extortion, stealing victim data before encrypting systems, and has targeted organizations worldwide across multiple sectors including manufacturing, education, information technology, healthcare, financial services, food and agriculture, government, technology, consulting, pharmaceuticals, telecommunications, finance, and real estate. Public reporting and joint advisories state that Akira operators have received at least $42 million from more than 250 victims worldwide since early 2023, with later reporting citing more than $244 million in ransom payments.
Akira initially targeted Windows systems and later developed Linux encryptors for VMware ESXi; reporting also notes recent encryption of Nutanix AHV virtual machine disk files. Earlier variants were written in C++, appended the .akira extension to encrypted files, and dropped akira_readme.txt ransom notes. Since August 2023, operators have also used the Rust-based Megazord variant, which encrypts files with the .powerranges extension; Akira, Akira_v2, and Megazord have been used interchangeably. Akira uses a hybrid ChaCha20 and RSA encryption scheme and can perform full or partial encryption depending on file type and size.
Observed initial access vectors include VPN services without MFA, valid account abuse, stolen credentials, spear phishing, brute-force attacks against weak passwords, exposed RDP, purchased access from initial access brokers, and exploitation of edge-device vulnerabilities. Multiple sources tie Akira intrusions to Cisco ASA/AnyConnect and SonicWall SSLVPN environments. Reported exploited vulnerabilities include Cisco CVE-2020-3259, Cisco CVE-2023-20269, SonicWall CVE-2024-40766, and reporting also cites CVE-2023-70766 in a joint advisory. Incident reporting describes credential-based intrusions against exposed VPNs and remote services, including brute-forcing forgotten local SSLVPN accounts lacking MFA.
Post-compromise behavior includes creation of new domain accounts for persistence, use of legitimate remote access tools such as AnyDesk, RustDesk, LogMeIn, Ngrok, and Cloudflare Tunnel, and extensive credential theft and reconnaissance. Reported credential-access techniques include Kerberoasting, LSASS memory dumping, theft of NTDS.dit and SYSTEM hives, and use of Mimikatz, LaZagne, BypassCredGuard.exe, WebBrowserPassView.exe, netpass64.exe, and Veeam-Get-Creds. Reconnaissance and discovery tooling includes nltest, net, whoami, AdFind-like tooling, SoftPerfect, Advanced IP Scanner, Netscan, and Get-ADComputer. Lateral movement has been observed primarily over RDP, as well as via SMB, Impacket wmiexec, PsExec, remote service creation, and VmConnect.exe.
Defense evasion and impact behaviors include disabling or stopping security software, use of PowerTool with the Zemana AntiMalware driver to terminate antivirus processes, clearing logs, leveraging COM objects through WMI during execution to evade detection, deleting Volume Shadow Copies via PowerShell and vssadmin delete shadows /all /quiet, and stopping endpoint protection services. Akira has also been observed manipulating SQL databases, disabling firewalls, enabling RDP, disabling LSA Protection, and disabling Windows Defender.
Data exfiltration is a routine part of Akira operations. Reported tools include Rclone, FileZilla, WinSCP, WinRAR, and MEGA; one source specifically notes Akira exfiltrates victim data using applications such as Rclone. Public incident reporting links Akira to attacks against critical infrastructure and enterprises, including incidents involving Nissan Australia and Tietoevry in Sweden.
Akira is repeatedly described as a Conti spinoff or descendant, and DOJ reporting states a Russian-linked ransomware organization operated under multiple brands including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Microsoft also linked Akira-related affiliates to the Fox Tempest malware-signing service. High-confidence indicators and artifacts mentioned in the content include the .akira and .powerranges encrypted-file extensions, akira_readme.txt ransom notes, use of account name itadm in some intrusions, a bespoke backdoor crome.exe at C:\ProgramData\Microsoft\crome.exe communicating with 170.130.165[.]171, exfiltration-related IPs including 185.82.216[.]56 and 104.200.72[.]33 over port 22, Chrome connections to 13.107.42[.]12 during exfiltration, and MEGA-related IPs 99.35[.]22, 206.25[.]71, 203.127[.]13, and 99.35[.]202.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
15 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
According to the advisory, threat actors, including those deploying Akira ransomware, are actively leveraging this vulnerability to gain unauthorized network access and, in some cases, crash firewalls. | The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued an urgent alert regarding active exploitation of a critical security flaw identified as CVE-2024-40766, impacting multiple generations of SonicWall SSL VPN devices. According to the advisory, threat actors, including those deploying Akira ransomware, are actively leveraging this vulnerability to gain unauthorized network access and, in some cases, crash firewalls.
Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). | A joint cybersecurity advisory has been issued ... about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.
First published on September 6, 2023, CVE-2023-20269 allows unauthenticated users to run a brute-force attack to identify valid credentials and establish a clientless SSL VPN session. At the time of publication, Cisco indicated that it was aware of the Akira ransomware group targeting the zero-day vulnerability in August 2023 by compromising organizations via Cisco VPNs that lacked multi-factor authentication. | In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024... Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.
Akira Ransomware (Storm-1567 / Howling Scorpius / GOLD SAHARA) Type: Ransomware-as-a-Service (RaaS) - Closed Affiliate Model ... First observed: March 2023 ... Double extortion Data exfil via Rclone/WinSCP/FileZilla → encryption via ChaCha20 + RSA-4096 hybrid.
Akira Ransomware (Storm-1567 / Howling Scorpius / GOLD SAHARA) Type: Ransomware-as-a-Service (RaaS) - Closed Affiliate Model ... First observed: March 2023 ... Double extortion Data exfil via Rclone/WinSCP/FileZilla → encryption via ChaCha20 + RSA-4096 hybrid.
ReliaQuest identified what we assess with medium confidence to be the first known exploitation of this vulnerability, spanning multiple environments between February and March 2026... CVE-2024-12802 is an authentication bypass vulnerability in SonicWall appliances that reduces VPN security to single-factor authentication... On Gen6 devices, the firmware patch alone doesn’t remediate the vulnerability. Six additional manual reconfiguration steps are required.
In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024... Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.
A particularly effective technique CVE-2024–37085 allows any member of a specially named AD group to receive full administrative rights on the hypervisor without additional authentication. Ransomware operators simply create the “ESX Admins” group via net group commands and add their controlled account, granting instant ESXi admin access. | Groups leveraging REDBIKE (Akira) and AGENDA (Qilin) ransomware were among the most prolific in exploiting the “Tier-0” privileges of hypervisors to bypass guest-level defenses entirely.
CVE-2023-48365: Qlik Sense Enterprise HTTP Tunneling RCE (CVSS 9.9)
CVE-2025-23006: SonicWall SMA 1000 Pre-Auth Deserialization RCE (CVSS 9.8)
CVE-2024-21762: Fortinet FortiOS SSL VPN Out-of-Bounds Write RCE (CVSS 9.8)
CVE-2023-27997: Fortinet FortiOS SSL VPN Heap Buffer Overflow RCE - XORtigate (CVSS 9.8)
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Referenced via: https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/ and multiple linked articles about Veeam RCE flaws.
“ThrottleStop.sys is a legitimate, signed driver… The ThrottleStop vulnerability (CVE-2025-7771) comes from the way the driver handles memory access. Attackers can exploit this to gain control, ultimately leading to disabling security tools.”
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024... Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.
Rapid7 just days ago uncovered a campaign tied to Akira ransomware exploiting CVE-2024-40766, an authentication vulnerability impacting SonicWall SonicOS management access and VPN instances.
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
Acronis TRU analyzed recent samples of Akira and Lynx ransomware families... Akira ransomware emerged in 2022... used phishing attacks and vulnerabilities exploitation, including Cisco CVE-2023-20269... primarily targeted user VPNs... SonicWall Firewall CVE-2024-40766... Akira uses ChaCha20 to encrypt files.
In 2024, the top 3 ransomware threats to Canada were: Akira... emerged in April 2023... operates 2 ransomware variants... exfiltrates victim data before encrypting... double extortion.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueFurther analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Initial Access
4 techniquesAkira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords.
The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited.
In August, SonicWall dismissed reports that the Akira ransomware gang was breaching Gen 7 firewalls with SSLVPN enabled using a potential zero-day exploit, stating that it was actually linked to CVE-2024-40766, a critical SSLVPN access control flaw in SonicOS that was patched in November 2024.
Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords.
Execution
3 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions. | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Persistence
4 techniquesAkira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords.
escalated privileges into a domain admin level account within two days of network access.
The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited.
Privilege Escalation
3 techniquesAkira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords.
escalated privileges into a domain admin level account within two days of network access.
Stealth
3 techniquesthe service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.
Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.
Defense Impairment
1 techniqueMicrosoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Credential Access
2 techniquesAkira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords.
CVE-2020-3259... allows for an unauthenticated, remote attacker to retrieve memory contents of an affected device, thus disclosing confidential information such as credentials used to remotely log into the VPN.
Discovery
4 techniquesthe other internal network discovery via tools such as Advanced IP Scanner and Netscan to obtain Active Directory information.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
the other internal network discovery via tools such as Advanced IP Scanner and Netscan to obtain Active Directory information.
Lateral Movement
2 techniquesThe actors leveraged Remote Desktop Protocol (RDP) ... to laterally move across systems
or remote services creation to laterally move across systems
Collection
1 techniqueCommand and Control
1 techniqueOnce access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.
Exfiltration
3 techniquesDuring this time, the actor used WinSCP for exfiltration
Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.
When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data.
Impact
4 techniquesLike other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers. | The Akira ransomware group announced it had breached Nissan Australia... The Akira ransomware has been active since March 2023... Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
As a result of the ransomware attack, Granngården announced its grocery stores across the country would be closed on Monday.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
He analyzed stolen data and used sensitive information to intensify extortion tactics. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance.
IOCs tracked for this family
83 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware used in an intrusion where operators brute-forced a forgotten local SSLVPN account, performed discovery, Kerberoasting, RDP-based lateral movement, cleared logs, deleted shadow copies, and then encrypted systems.
Ransomware used in an intrusion where operators brute-forced a forgotten local SSLVPN account, performed discovery, Kerberoasting, RDP-based lateral movement, cleared logs, deleted shadow copies, and then encrypted systems.
A ransomware family whose affiliates were tied to Fox Tempest infrastructure and services.
A ransomware family linked by Microsoft’s investigation to Fox Tempest’s code-signing service.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.