Akira Ransomware Surge: $244M in Damages and Rising

The Akira ransomware group has been actively operating since March 2023, targeting a broad range of organizations, particularly small- and medium-sized businesses, across various critical infrastructure sectors. The group employs a double extortion model, encrypting victims’ systems and stealing data, then threatening to publish the exfiltrated data on their Tor-based leak site to compel ransom payments. Akira initially focused on Windows systems but quickly expanded its capabilities by deploying a Linux variant to target VMware ESXi virtual machines, and later, Nutanix AHV VM disk files.

Severity: High

Targeted Sectors And Financial Impact

• Targets: Manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors are the most preferred targets.
• Financial Impact: As of late September 2025, the Akira ransomware group has reportedly collected approximately $244.17 million (USD) in ransom proceeds.
• Variants: Initially focused on Windows, the actors deployed a Linux variant targeting VMware ESXi virtual machines in April 2023, and have since expanded to encrypt Nutanix AHV VM disk files. They use the original C++ based Akira variant (with .akira extension) and a Rust-based “Megazord” encryptor (with .powerranges extension) interchangeably.

Attack Details

1. Initial Access: Primary access vector is VPN services lacking MFA, often by exploiting known vulnerabilities in Cisco products (multiple CVEs) or by stealing login credentials (e.g., from initial access brokers, brute-forcing SonicWall VPN). Other methods include spearphishing and exploiting unpatched Veeam backup servers.
2. Persistence & Privilege Escalation: Actors create new domain accounts (e.g., itadm) and add them to the administrator group for persistence. They harvest credentials using techniques like Kerberoasting and tools such as Mimikatz and LaZagne.
3. Defense Evasion: Security software is disabled, antivirus processes are terminated (using tools like Power Tool), and Endpoint Detection and Response (EDR) systems are uninstalled to evade detection.
4. Lateral Movement: Movement across the network is executed using legitimate remote access software like AnyDesk, LogMeIn, as well as RDP, SSH, and MobaXterm.
5. Exfiltration: Data is collected and compressed using tools like FileZilla and WinRAR, and then exfiltrated using utilities like WinSCP and RClone to cloud storage services (e.g., Mega).
6. Impact: The ransomware encrypts files using a hybrid encryption scheme. It executes PowerShell commands to delete Volume Shadow Copy Service (VSS) copies to inhibit system recovery efforts. The actors apply pressure by threatening to publish stolen data and have been observed contacting victims directly.

Recommendations

1. Immediately patch and update operating systems, software, and firmware, focusing on known exploited vulnerabilities, especially those in VPN services and public-facing applications (like Cisco, SonicWall, and Veeam).
2. Implement and strictly enforce MFA for all services, especially for remote access, VPNs, and administrative accounts. Use phishing-resistant forms of MFA where possible.
3. Audit all user accounts regularly for suspicious additions (e.g., itadm) and privilege escalations.
4. Harden endpoint defenses against common tools used by Akira (e.g., Impacket, PowerTool, LaZagne, RClone, AnyDesk).
5. Monitor for large outbound data flows, especially via FTP, SFTP, RClone, WinSCP.
6. Maintain offline, immutable backups of critical systems and test restoration procedures routinely.
7. Ensure backups are segregated from primary systems and cannot be accessed with regular admin credentials.
8. Employ DLP controls to prevent unauthorized transfers to cloud services like MEGA or Dropbox.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/38672f2567f201a294b4fb420f7a653fe6380e27fdb4a089362929d6c7f00095/iocs

Source:

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.