Background
Akira ransomware emerged in March 2023 and within its first year became one of the most active ransomware operations globally, compromising over 250 organizations and collecting over $42 million in ransom payments. The group likely has connections to the disbanded Conti ransomware ecosystem โ sharing code similarities with Conti's codebase and exhibiting similar operational characteristics. Akira gained particular prominence in mid-2023 when Cisco disclosed that the group was systematically targeting Cisco ASA and FTD VPN appliances lacking multi-factor authentication, exploiting this access to compromise hundreds of organizations.
The group operates a dual-extortion model: encrypting victim data while also exfiltrating sensitive information to their dark web leak site, which features a retro 1980s-style terminal aesthetic. Unlike some ransomware groups, Akira has historically been willing to negotiate ransom amounts with victims, often accepting significantly less than the initial demand.
Akira has demonstrated technical versatility, developing Linux variants targeting VMware ESXi servers alongside Windows versions. The group also released a Rust-based variant called Megazord in 2024, demonstrating ongoing tooling development. By early 2025, Akira had maintained consistent high activity levels, targeting organizations of all sizes with particular emphasis on small and medium-sized businesses that may have less sophisticated security controls.
Notable Campaigns
Cisco VPN Exploitation Campaign (2023) โ Cisco disclosed that Akira was systematically exploiting Cisco ASA and FTD VPN appliances without MFA enabled. The group brute-forced or used credential stuffing to authenticate to these devices, then used the VPN access to move laterally through corporate networks. This campaign affected hundreds of organizations and prompted Cisco to issue emergency guidance and IOC disclosures.
Stanford University Breach (2024) โ Akira compromised Stanford University's Department of Public Safety network, stealing 430 gigabytes of data including sensitive law enforcement records and personal information. The incident highlighted the group's targeting of educational institutions with law enforcement or government adjacency.
Nissan Oceania Attack (2024) โ Akira claimed responsibility for a cyberattack on Nissan Oceania affecting operations in Australia and New Zealand. The group exfiltrated data including personal information of current and former employees, dealers, and customers, affecting approximately 100,000 individuals.
Nordic Healthcare Targeting (2023-2024) โ Akira conducted multiple attacks against Nordic healthcare organizations, including Swedish and Norwegian hospital networks. The attacks disrupted patient management systems and forced manual procedures for patient intake and record management.
Tactics, Techniques & Procedures
VPN Appliance Exploitation โ Akira's defining initial access method is exploitation of VPN appliances lacking multi-factor authentication (T1133, T1078). The group targets Cisco ASA, Cisco FTD, and SonicWall VPN appliances with credential stuffing or brute force. Once authenticated to the VPN, the group gains network-level access equivalent to a legitimate remote user, enabling lateral movement without triggering perimeter alerts.
Post-Compromise Methodology โ After VPN access, Akira uses RDP for lateral movement (T1021.001) and conducts extensive network reconnaissance with Advanced IP Scanner. Credential harvesting uses Mimikatz, LaZagne, and browser credential extraction. The group identifies and targets backups for deletion before ransomware deployment to maximize pressure on victims.
Ransomware Deployment โ Windows Akira ransomware uses ChaCha20 encryption with RSA-4096 for key protection. Linux/ESXi variants use the same encryption but target VMware VMDK files. The ransomware deletes shadow copies and backup files, then appends .akira to encrypted files. Megazord (Rust-based variant) uses Chacha20Poly1305 encryption and appends .powerranges to encrypted files.
Double Extortion and Negotiation โ Data exfiltration using RClone precedes encryption. Exfiltrated data is uploaded to Akira's Tor-hosted leak site. The group maintains active negotiation capabilities and has demonstrated willingness to reduce demands significantly in exchange for prompt payment or under-resourced victim advocacy.
Tools & Malware
- Akira Ransomware โ Custom C++ ransomware for Windows, using ChaCha20 symmetric encryption with RSA-4096 key wrapping. Encrypts all accessible files except system-critical components needed for the system to remain operable enough to display ransom notes. Appends .akira extension. ESXi Linux variant targets VMDK files.
- Megazord โ A Rust-based ransomware variant representing Akira's next-generation tooling. Uses Chacha20Poly1305 encryption and appends .powerranges extension to encrypted files.
- PCHunter โ A Windows system monitoring tool repurposed to identify and terminate security software processes that cannot be disabled through standard means.
- RClone โ Open-source cloud sync utility used for large-scale data exfiltration to attacker-controlled cloud storage before ransomware deployment.
- LaZagne โ An open-source credential recovery tool that extracts passwords from browsers, email clients, database tools, and other applications.
- AnyDesk โ Legitimate remote access tool used for persistent access during attacks, enabling interactive access without deploying additional malware.
- Advanced IP Scanner โ Network scanning tool used for internal network reconnaissance and identification of additional targets.
- WinRAR โ Used to compress stolen data before exfiltration via RClone.
Indicators & Detection
VPN and Remote Access Hardening โ Implement multi-factor authentication on all VPN and remote access solutions immediately โ this single control would have prevented the majority of documented Akira intrusions. Monitor VPN authentication logs for credential stuffing patterns (high volume failures followed by success). Patch Cisco ASA, FTD, and SonicWall appliances promptly. Disable legacy VPN authentication protocols that do not support MFA.
Shadow Copy and Backup Monitoring โ Monitor for shadow copy deletion commands (vssadmin, wbadmin, bcdedit) and immediately alert on their execution by non-backup processes. Implement offline backup solutions that cannot be accessed from the compromised network. Alert on backup software being terminated or backup job failures.
RClone and Exfiltration Detection โ Monitor for RClone process execution and configuration file creation. Alert on large volumes of data being compressed and transferred to external cloud storage. Implement data loss prevention (DLP) solutions that detect and block bulk data exfiltration. Monitor upload traffic volume for anomalous spikes.
Akira File Extension Detection โ Implement file system monitoring that alerts on the creation of files with .akira or .powerranges extensions. At scale across multiple directories, this indicates active ransomware execution and should trigger immediate incident response. Isolate affected systems from the network immediately upon detection.