MalwareRansomware

Redbike

REDBIKE is a ransomware family publicly known as Akira. In 2025 reporting based on Mandiant incident response data and Google Threat Intelligence Group analysis, it was identified as the most frequently deployed or most prevalent ransomware family, accounting for about 30% of analyzed or observed ransomware incidents. The reporting states that operators using REDBIKE/Akira were among the prolific ransomware actors that expanded as other major RaaS groups such as LockBit, ALPHV, Basta, and RansomHub were weakened or disrupted.

High-confidence reporting associates REDBIKE/Akira activity with post-compromise ransomware deployments that commonly also involve data theft extortion. Across the analyzed ransomware intrusions, suspected or confirmed data theft was present in 77% of cases, and the majority of incidents involved theft of sensitive business data before encryption. Threat actors were reported using tools such as Rclone, WinRAR, FileZilla, and WinSCP, and exfiltration destinations including MEGA, OneDrive, and Azure; targeted data types included legal documents, HR records, accounting data, and business development files.

The content also states that ransomware operators including those using REDBIKE/Akira increasingly targeted recovery-denial infrastructure in 2025, specifically backup infrastructure, identity services, and virtualization management planes. Reported behaviors in these incidents included deleting backup objects from cloud storage, compromising backup management servers, extracting credentials from configuration databases or enterprise credential vaults, forcing password changes on privileged accounts, exploiting misconfigured Active Directory Certificate Services templates to create administrator accounts, targeting hypervisors and virtualization storage layers, compressing and archiving virtual hard disks directly on hypervisors, and deploying ransomware at the hypervisor level by encrypting datastore files to render multiple virtual machines inoperable simultaneously.

For the broader ransomware incidents in which REDBIKE/Akira appeared, the most common initial access pattern reported was exploitation of vulnerabilities, especially in VPNs and firewalls, accounting for about one-third of incidents. The affected organizations spanned Asia Pacific, Europe, North America, and South America and covered nearly every industry sector.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

GTIG observed confirmed or suspected data theft in approximately 77% of ransomware intrusions — a steep jump from 57% the year before. Attackers now frequently steal sensitive files before deploying encryption, threatening to post the stolen data publicly on leak sites even if victims manage to restore their systems from backup.

Impact

2 techniques

T1486Data Encrypted for ImpactEvidence6

These incidents involved the post-compromise deployment of ransomware following network intrusion activity, with the majority of incidents also involving data theft extortion.

T1490Inhibit System RecoveryEvidence1

In 2025, we observed a systemic shift where ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure, identity services, and virtualization management planes... are actively deleting backup objects from cloud storage.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

help net securityNews

Mar 24, 2026

Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security

A ransomware variant identified as the most commonly observed in Mandiant investigations during 2025.

cyber security newsNews

Mar 17, 2026

Google Warns Ransomware Actors Are Shifting Tactics as Profits Fall and Data Theft Rises

A ransomware family identified as the most prevalent in 2025 investigations, accounting for nearly 30% of observed incidents.

cyberscoopNews

Mar 16, 2026

The ransomware economy is shifting toward straight-up data extortion | CyberScoop

A ransomware family identified by Google as one of the most prominent in 2025.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.