akira

Akira

also known as: Storm-1567 (Microsoft) Howling Scorpius (Palo Alto Unit 42) Punk Spider (CrowdStrike) Gold Sahara (Secureworks) Akira_v2 (ESXi variant)

Akira is the highest-grossing ransomware group of 2025, collecting over $244 million USD in confirmed victim payments from more than 250 organizations since its emergence in March 2023. A closed Ransomware-as-a-Service operation with strong ties to the defunct Conti ecosystem, Akira stands apart for its rapid operational tempo — documented exfiltrating data within two hours of initial access — and its willingness to find genuinely novel attack paths, including using a network-connected webcam's Linux OS to mount Windows SMB shares and encrypt files after its Windows encryptor was blocked by EDR.

attributed origin Russia (assessed — Russian language observed on dark web forums; non-VPN infrastructure geolocated to Russia)

suspected sponsor Financially motivated criminal enterprise; Conti lineage suspected; no state nexus confirmed

first observed March 2023 (unrelated to a 2017 ransomware strain of the same name)

primary motivation Financial — closed RaaS / double extortion

primary targets Manufacturing, Education, Healthcare, IT, Financial Services, Food & Agriculture

known victims ~980 leak site postings Jan–Dec 2025; $244M+ in payments

mitre att&ck group G1024

target regions United States (primary), Canada, Brazil, Australia, United Kingdom, Europe

threat level CRITICAL

Overview

Akira first appeared in March 2023 — distinct from a short-lived 2017 ransomware strain that shared the name. It is described as a closed or semi-closed RaaS: the core team manages development, infrastructure, and tooling, though some reporting (including ransomware.live analysis) indicates operational overlaps with Snatch and BlackByte affiliates. This tighter structure — relative to fully open affiliate models like LockBit — produces more consistent tradecraft across incidents and better operational security than programs with broad affiliate recruitment.

Researchers at Conti Leaks analysts and Secureworks have identified meaningful code and operational overlaps between Akira and the Conti ransomware ecosystem — including similarities in the ransom negotiation site design, tooling choices, and on-chain laundering patterns. TRM Labs assesses with moderate-to-high confidence that Akira operators are based in Russia or the broader post-Soviet region, supported by observed Russian-language communications on closed cybercrime forums and infrastructure geolocation data prior to VPN obfuscation.

Akira's toolchain has evolved across multiple distinct versions. The original C++ encryptor — appending the .akira extension — was joined in August 2023 by Megazord, a Rust-based Windows encryptor appending .powerranges. The two were deployed interchangeably until the November 2025 CISA advisory noted that Megazord has likely fallen out of active use. The current primary payload is Akira_v2, a Rust-based ESXi-targeting encryptor that also supports Linux environments and appends .akiranew or .aki extensions alongside the original .akira. The hybrid encryption scheme combines ChaCha20 with RSA public-key cryptography, supporting full or partial file encryption based on file type and size.

A June 2025 incident documented in the CISA advisory marked the first confirmed case of Akira encrypting virtual machine disk files on Nutanix Acropolis Hypervisor (AHV) — expanding beyond VMware ESXi and Microsoft Hyper-V. Nutanix AHV is widely deployed in healthcare, finance, and government environments, and is not typically treated as a ransomware target by defenders, making this expansion significant for organizations relying on Nutanix as an assumed safe enclave.

On-chain analysis by TRM Labs identified financial infrastructure links between Akira and two other ransomware clusters. The Fog ransomware group shared the same Defiway laundering service during a specific operational phase. The Frag ransomware group shares a two-address wallet cluster and the same bridge and payment service Akira used exclusively between late 2024 and June 2025 — leading TRM to assess that Frag may be an operational extension or spin-off of the Akira core team. Both Fog and Frag also show on-chain overlaps with each other, suggesting a loosely affiliated network of Russian-speaking groups sharing backend financial infrastructure.

Akira does not leave a ransom demand on compromised networks. Victims discover they have been hit when files are encrypted and a ransom note is placed in each directory. Payment instructions and ransom amounts are only disclosed after the victim contacts the group via a Tor-based negotiation portal. Akira accepts Bitcoin exclusively. In some incidents, operators have directly called victim organizations to apply additional pressure alongside the standard data leak threat.

Target Profile

CISA describes Akira as primarily targeting small and medium-sized businesses, though the group has demonstrated willingness to attack large organizations including universities, global IT service providers, and critical infrastructure operators. The preference for SMBs reflects a deliberate strategy: these organizations are more likely to lack mature incident response capabilities, have weaker network segmentation, and face greater relative pressure to pay quickly to restore operations.

Manufacturing: Consistently the top targeted sector by volume. Manufacturing organizations face immediate operational disruption when systems go offline, with cascading supply chain consequences that amplify payment pressure. Akira's speed — documented completing data exfiltration within two hours of initial access in some incidents — is especially effective against manufacturers who may not detect intrusion before data is already gone.
Education: Universities and K-12 school districts are disproportionately targeted. The CISA advisory specifically calls out educational institutions and includes K-12-specific mitigations. These organizations hold large volumes of sensitive PII, student health records, and research data while typically operating with constrained IT security budgets and complex, distributed networks.
Healthcare and Public Health: Hospitals, clinics, and health systems face life-safety pressure to restore access to patient records and clinical systems. Akira's targeting of Nutanix AHV — common in healthcare virtualization — directly expands its reach into this sector. Notable incidents include attacks on BHI Energy (US energy firm) and healthcare-adjacent organizations in Europe.
Information Technology: IT service providers and managed service providers are targeted both for direct extortion and for supply chain access to downstream clients. Finnish IT provider Tietoevry was a high-profile 2024 victim, with the attack disrupting services across multiple Tietoevry clients in Sweden and Finland.
Financial Services and Food & Agriculture: Both sectors appear in the CISA advisory target profile and on Akira's leak site with consistent frequency. Agriculture organizations — particularly food processing and distribution — face significant disruption risk from encrypted operational technology adjacent systems.

Tactics, Techniques & Procedures

TTPs sourced primarily from the CISA/FBI/Europol joint advisory AA24-109A (updated November 13, 2025), S-RM incident response reporting, TRM Labs financial analysis, and Field Effect MDR tracking. MITRE ATT&CK Group G1024.

mitre id	technique	description
T1078	Valid Accounts	Primary initial access vector. Credentials obtained via brute force, password spraying (SharpDomainSpray), initial access brokers, or credential dumps are used to authenticate directly to VPN portals — particularly SonicWall and Cisco ASA devices — without triggering alert-worthy authentication failures.
T1190	Exploit Public-Facing Application	Known CVEs exploited include CVE-2024-40766 (SonicWall improper access control, used in the June 2025 Nutanix AHV incident), CVE-2024-40711 (Veeam deserialization of untrusted data), and earlier CVE-2023-20269 (Cisco ASA). MFA bypass against SonicWall has been documented by compromising one-time password seeds or token generation mechanisms.
T1110.003	Password Spraying	SharpDomainSpray deployed to enumerate and spray domain credentials at scale. Combined with credential dumps to build a list of valid accounts for targeted spray attempts.
T1136.001	Create Account: Local Account	After gaining initial access, Akira actors create a local account named itadm to establish a persistent foothold independent of the initially compromised credentials.
T1219	Remote Access Software	AnyDesk and LogMeIn deployed immediately after access to establish persistent C2 that blends with legitimate administrator activity. Remote management tools are used to bypass perimeter controls and avoid deploying obvious backdoors.
T1572	Protocol Tunneling	Ngrok used to establish encrypted C2 tunnels that bypass perimeter monitoring. FileZilla, WinSCP, and RClone used for data staging and exfiltration — all legitimate tools that avoid triggering malware signatures.
T1021.001	Remote Services: RDP	RDP used for lateral movement throughout victim environments. Akira operators deliberately use RDP to blend with legitimate administrator behavior. The webcam incident specifically involved RDP lateral movement prior to the IoT pivot.
T1047	Windows Management Instrumentation	Impacket's wmiexec.py used for remote command execution. WMI also used for shadow copy deletion — querying Win32_Shadowcopy and deleting returned objects — which avoids the high-visibility vssadmin.exe utility while achieving the same result.
T1003.003	OS Credential Dumping: NTDS	In a documented incident, Akira bypassed VMDK file protection by temporarily powering down the domain controller's VM, copying the VMDK file, and attaching it to a newly created VM. This enabled extraction of NTDS.dit and the SYSTEM hive, yielding a highly privileged domain administrator credential hash.
T1562.001	Impair Defenses: Disable or Modify Tools	EDR and antivirus software uninstalled or disabled using legitimate administrative privileges before encryption. In the documented webcam incident, after the Windows encryptor was blocked by EDR, the actor pivoted to a network-connected Linux-based webcam — mounting Windows SMB shares from the webcam's OS and running the Linux encryptor to encrypt network files outside EDR visibility entirely.
T1486	Data Encrypted for Impact	Hybrid ChaCha20 + RSA encryption scheme. File-type-aware: encryption mode (full vs. partial) selected based on file size and type to maximize encryption speed. Targets Windows (Akira/Megazord), Linux, VMware ESXi (Akira_v2), Microsoft Hyper-V, and Nutanix AHV. Extensions: .akira, .powerranges, .akiranew, .aki. Thread-controlled for parallel encryption speed.
T1490	Inhibit System Recovery	Shadow copies deleted via WMI Win32_Shadowcopy class (avoiding vssadmin.exe). Veeam backup infrastructure actively targeted for credential extraction before encryption — disabling backup recovery paths before locking down production systems.
T1041	Exfiltration Over C2 Channel	Data exfiltrated before encryption as part of double extortion. In some documented incidents, exfiltration completed within approximately two hours of initial access — before many organizations have time to detect the intrusion and begin containment. FileZilla, WinSCP, RClone, and Ngrok used as exfiltration tools.
T1657	Financial Theft	Bitcoin ransom payments routed through a documented series of laundering phases. TRM Labs identified at least four distinct post-payment laundering infrastructure evolutions since 2023, including use of Defiway bridge service shared with the Fog ransomware cluster during one phase, and a separate wallet cluster shared with Frag ransomware.

two-hour exfiltration window

CISA's November 2025 advisory confirmed documented Akira incidents where data exfiltration was completed in just over two hours from initial access. This means organizations that detect an intrusion even moderately late — or that rely on next-business-day security review of alerts — may already have lost their data before containment begins. This compresses the effective IR response window to near-zero for organizations without real-time 24/7 SOC coverage.

Known Campaigns

Selected confirmed and highly attributed incidents. Akira's closed structure means many victims never appear on the leak site due to paying or settling without public disclosure.

IoT Webcam EDR Bypass 2024 (reported March 2025)

Documented by S-RM during incident response at a client organization. After gaining initial access via an exposed remote access solution and deploying AnyDesk for persistence, Akira moved laterally via RDP and attempted to deploy a Windows ransomware encryptor as a password-protected zip file (win.zip containing win.exe). The victim's EDR identified and quarantined the file. Rather than abandoning the attack, the actor conducted an internal network scan and identified a Linux-based webcam with unpatched critical vulnerabilities, including unauthenticated remote shell access. The actor used the webcam's Linux OS to mount Windows SMB network shares and ran the Linux Akira encryptor from the webcam — completely outside the EDR's visibility. Files across the organization's Windows network were encrypted successfully via SMB traffic originating from the camera, which had no EDR agent. Patches were available for the webcam vulnerabilities at the time of the attack.

Tietoevry Attack January 2024

Akira hit Finnish IT services provider Tietoevry, causing service disruptions for multiple Tietoevry clients across Sweden and Finland. The attack encrypted infrastructure used to host customer applications and services, creating cascading outages across industries including retail, cinema chains, and public sector clients — demonstrating Akira's ability to generate downstream supply chain impact through a single MSP compromise.

Stanford University 2023–2024

Akira claimed a ransomware attack on Stanford University. Subsequent investigation revealed that attackers had been present inside Stanford's network for approximately four months before detection — one of the longest documented Akira dwell periods and a direct illustration of the group's patience during the reconnaissance and data-collection phase before triggering encryption.

Nutanix AHV First Compromise June 2025

Documented in the November 2025 CISA advisory update, a June 2025 incident marked the first confirmed case of Akira encrypting virtual machine disk files on Nutanix Acropolis Hypervisor (AHV). Initial access was gained via CVE-2024-40766, a SonicWall improper access control vulnerability. The affected organization was not publicly named. This incident expanded Akira's hypervisor targeting beyond VMware ESXi and Microsoft Hyper-V for the first time and prompted CISA to elevate its advisory language to "imminent threat to critical infrastructure."

Lush Cosmetics 2024

British bath and beauty retailer Lush confirmed a cyberattack that Akira subsequently claimed. The attack disrupted internal IT systems. Lush activated manual processes and engaged external forensic specialists. The incident highlighted Akira's willingness to target consumer brands in the retail sector, not only industrial and government targets.

Nissan Australia Late 2023

Akira claimed a ransomware attack against Nissan Australia, adding the automotive manufacturer to its leak site. The incident is one of several high-profile Akira claims against recognizable global brands alongside Tietoevry and Stanford, demonstrating that while CISA characterizes the group's primary target set as SMBs, Akira affiliates will pursue large-enterprise targets when access is available. Nissan subsequently confirmed the cyber incident and data exposure affecting customers and dealers.

SonicWall SSL VPN Surge Late July 2025 — ongoing

Arctic Wolf documented a marked increase in Akira activity specifically targeting SonicWall SSL VPN accounts beginning in late July 2025, a campaign that remained active through at least November 2025. Sophos analysis linked approximately 149 victims to Akira attacks in the three months to November 2025, with manufacturing, legal and professional services, and construction sectors most affected. In October 2025 alone, Akira compromised over 70 victims via publicly accessible SonicWall devices exploiting CVE-2024-40766. CISA's November 13, 2025 advisory update — characterizing Akira as an imminent threat to critical infrastructure — was issued directly in response to this escalation.

Toronto Zoo January 2024

Akira claimed a ransomware attack on the Toronto Zoo, exfiltrating data on employees and visitors across multiple decades of records. The Zoo confirmed the breach and the theft of personal information including names, contact details, and employment records. Akira's willingness to target public-facing cultural institutions with no critical infrastructure status underscores the opportunistic nature of the group's victim selection alongside its more deliberate high-value targeting.

Tools & Malware

Akira (C++ variant): Original Windows encryptor, active from March 2023. Appends .akira extension. Hybrid ChaCha20 + RSA encryption. In June 2023, Avast released a free decryptor for this variant — exploiting a flaw in Akira's partial-file encryption implementation that allowed key recovery without paying ransom. Akira patched the vulnerability in July 2023 with an updated build. The original C++ variant is no longer the primary payload but still observed in some incidents as of late 2025.
Megazord (Rust variant): Windows-targeting Rust encryptor, introduced August 2023. Appends .powerranges extension. CISA's November 2025 advisory notes Megazord has likely fallen out of active use since 2024, replaced by Akira_v2.
Akira_v2 (ESXi/Linux Rust variant): Current primary ESXi and Linux encryptor. Targets VMware ESXi, Microsoft Hyper-V, and (as of June 2025) Nutanix AHV. Appends .akiranew or .aki extensions in some builds. Thread-controlled for parallel encryption. Build ID validation prevents execution in sandbox environments. Written in Rust for improved performance and cross-platform compatibility.
SharpDomainSpray: Open-source password spraying tool used for domain credential harvesting at scale during the initial access phase.
AnyDesk / LogMeIn: Legitimate RMM tools deployed immediately after access for persistent C2 that mimics administrator behavior. Used to disable security tools including firewalls, antivirus, and EDR before encryption.
Impacket (wmiexec.py): Open-source network protocol manipulation toolkit. wmiexec.py used for remote command execution across domain systems without dropping additional binaries.
Ngrok: Legitimate tunneling utility used to establish encrypted C2 sessions that bypass perimeter monitoring by routing traffic through Ngrok's legitimate infrastructure.
FileZilla / WinSCP / RClone: Legitimate file transfer tools used for data staging and exfiltration. Selection of legitimate tools avoids malware signature detection during the exfiltration phase.
Akira Tor Negotiation Site: Custom dark web portal through which victims initiate contact. Ransom demands and payment details are disclosed only after victim contact — no demand is left on the compromised network. The site also serves as a data leak platform for non-paying victims.

Indicators of Compromise

IOCs sourced from CISA advisory AA24-109A (updated November 2025) and field reporting. The CISA advisory PDF contains the full set of confirmed SHA-256 hashes and network indicators observed between June 2023 and August 2025. IOCs should be treated as time-sensitive and cross-referenced against live intel feeds before use as blocks.

warning

Network IOCs (IPs, domains) rotate between campaigns and expire quickly after public disclosure. The full CISA advisory AA24-109A at ic3.gov contains the most comprehensive and recently updated IOC tables, covering observed activity from June 2023 through August 2025. Cross-reference with MITRE ATT&CK G1024 and vendor threat intel feeds before blocking.

indicators of compromise — Akira (public record)

file ext .akira (original C++ variant); .powerranges (Megazord); .akiranew / .aki (Akira_v2 ESXi/Linux)

ransom note akira_readme.txt — dropped in encrypted directories; no ransom amount included; instructs victim to contact via Tor URL

local account itadm — local account created post-access for persistent foothold

behavior WMI Win32_Shadowcopy deletion (avoids vssadmin.exe) — pre-encryption VSS removal

behavior VMDK power-off + copy + attach to new VM for NTDS.dit extraction from domain controller

behavior Network scan identifying IoT/Linux devices post-EDR block; SMB mount from Linux device for encryption bypass

tool SharpDomainSpray.exe — password spraying; AnyDesk.exe / LogMeIn — RMM persistence; Ngrok — C2 tunneling; rclone.exe / winscp.exe / filezilla.exe — exfiltration

vuln (exploited) CVE-2024-40766 (SonicWall improper access control); CVE-2024-40711 (Veeam deserialization); CVE-2023-20269 (Cisco ASA)

hash (sha256) Full hash tables in CISA advisory AA24-109A PDF (Tables 2–9) — covers encryptors, tools, and utilities observed June 2023–August 2025

Mitigation & Defense

Mitigations derived from CISA advisory AA24-109A, S-RM incident reporting, and field observations. Credential security and edge device patching address the primary initial access paths. IoT hygiene addresses the documented EDR bypass technique.

Enforce phishing-resistant MFA on all VPN and remote access: Akira's dominant initial access path is VPN credential compromise against devices lacking MFA. Phishing-resistant MFA — hardware tokens, FIDO2/passkeys — closes the primary attack vector. Standard TOTP-based MFA provides some protection but is bypassed by SonicWall OTP seed compromise as documented in the CISA advisory.
Patch SonicWall, Veeam, and Cisco edge devices immediately: CVE-2024-40766 (SonicWall), CVE-2024-40711 (Veeam), and CVE-2023-20269 (Cisco ASA) are all documented Akira initial access vectors. Treat critical CVEs on internet-facing appliances as P0 patches with a 48-hour remediation target, not standard patch cycle windows.
Isolate IoT and OT devices on segmented networks: The webcam EDR bypass was only possible because the webcam had SMB-level network access to production Windows servers. IoT devices — cameras, fingerprint scanners, building management systems — must be on a dedicated VLAN with no lateral access to server or workstation segments. Firmware on all IoT devices should be updated regularly and default credentials changed.
Monitor and alert on RMM tool installations: AnyDesk and LogMeIn installed outside normal change management procedures are strong indicators of active compromise. Alert immediately on any new RMM installation on domain-joined systems. Maintain an approved RMM allowlist and block unapproved tools at the endpoint.
Protect Veeam and backup infrastructure as tier-0 assets: Akira specifically targets backup credential extraction before triggering encryption. Backup servers should be network-isolated, requiring separate privileged credentials not stored or accessible from production domain infrastructure. Offline or immutable backup copies must exist outside any network segment reachable from production.
Detect WMI-based shadow copy deletion: Akira uses WMI Win32_Shadowcopy deletion instead of vssadmin.exe specifically because many SIEM rules detect the latter. Create detection rules for WMI queries targeting Win32_Shadowcopy with delete operations. Alert on this behavior immediately as a pre-encryption signal.
Implement 24/7 SOC coverage or MDR with sub-two-hour response SLA: Documented Akira incidents include data exfiltration completion within approximately two hours of initial access. An organization with next-business-day security review of alerts cannot respond before data is already staged for exfiltration. If in-house 24/7 monitoring is not feasible, an MDR provider with a contractual response SLA of two hours or less is the minimum viable alternative.
Monitor for itadm local account creation: The creation of a local account named itadm is a specific documented Akira persistence mechanism. Alert on any new local account creation on domain-joined systems, particularly outside authorized change windows. Treat itadm creation as a confirmed compromise indicator requiring immediate IR activation.
Harden Nutanix AHV environments: Following the June 2025 first Nutanix AHV compromise, organizations running Nutanix should ensure AHV management interfaces are not internet-facing, require MFA for Prism access, and apply all pending Nutanix security patches. Treat AHV as equivalent to ESXi in terms of ransomware exposure — the assumption that it is safe simply because it is less frequently targeted is no longer valid.

law enforcement status

As of March 2026, Akira has not been subject to OFAC sanctions, criminal indictments, or a law enforcement disruption operation. No members have been publicly identified or charged. The group continues to operate at full capacity with no indication of imminent law enforcement action. This distinguishes Akira from LockBit (FBI disrupted February 2024) and RansomHub (infrastructure dark April 2025) and means its affiliate network remains intact and active.

Sources & Further Reading

— end of profile — last updated 2026-03-26