Akira ransomware has moved from a “new name on the leak sites” to one of the dominant extortion operations in just a few years. Since its appearance in early 2023, the group has compromised more than 250 organizations across North America, Europe, and Australia. At the same time, law-enforcement reporting and independent analysis now estimate Akira’s cumulative haul at roughly $240–$250 million in ransom payments, a figure that keeps climbing as new victims surface.
Because Akira runs as a ransomware-as-a-service (RaaS) program, core operators develop the tooling and infrastructure while affiliates handle intrusion work. Consequently, intrusion quality varies, yet the end state remains consistent: multi-stage extortion that blends encryption, data theft, and pressure via a public leak site.
𝗪𝗵𝗼 𝗔𝗸𝗶𝗿𝗮 𝗴𝗼𝗲𝘀 𝗮𝗳𝘁𝗲𝗿 𝗮𝗻𝗱 𝘄𝗵𝘆 𝗶𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀
Akira ransomware operators primarily pursue small and medium-sized businesses, although they routinely hit large enterprises when an opportunity appears. Manufacturing, education, managed service providers, IT services, healthcare, and financial services all sit high on their target list.
Attackers focus on organizations that expose edge infrastructure or remote-access services, that lag on patching, or that still run legacy platforms. Because those environments often support critical operations but lack mature detection coverage, Akira affiliates enjoy broad lateral movement once they establish a foothold. As a result, a single compromise can cascade into weeks of downtime, lost revenue, contractual penalties, and long-term brand damage.
Moreover, Akira’s leak site strategy makes the group especially dangerous for organizations that store regulated or highly sensitive data. Even when a victim restores from backups, the extortion demand continues because stolen records customer files, intellectual property, legal documents fuel the pressure campaign.
𝗛𝗼𝘄 𝗔𝗸𝗶𝗿𝗮 𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗴𝗮𝗶𝗻𝘀 𝗶𝗻𝗶𝘁𝗶𝗮𝗹 𝗮𝗰𝗰𝗲𝘀𝘀
Akira affiliates rarely rely on a single entry technique. Instead, they chain together remote-access weaknesses, credential theft, and vulnerable edge appliances:
First, they often hunt for VPN gateways without multi-factor authentication or with weak policy enforcement. When they discover exposed portals, they test credential pairs obtained from stealer logs, dark-web dumps, or previous compromises. If the organization reuses passwords or lacks MFA on privileged accounts, a single hit delivers immediate entry.
Next, they actively probe Cisco, SonicWall, and other edge devices for known exploited vulnerabilities. Public reporting links Akira campaigns to issues such as CVE-2023-20269 in Cisco ASA/FTD software and later flaws in SonicWall SSL VPN appliances. Even when vendors ship patches, unmaintained devices and end-of-life hardware create a durable attack surface.
Additionally, Akira actors lean on social-engineering and exposed remote-management tools. When they identify internet-facing RMM agents or misconfigured remote-desktop services, they attempt credential stuffing or exploit misconfigurations to land on high-value servers quickly.
𝗘𝘃𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗼𝗳 𝘁𝗵𝗲 𝗔𝗸𝗶𝗿𝗮 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗼𝗿 𝗮𝗻𝗱 𝗰𝗿𝗼𝘀𝘀-𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗰𝗮𝗽𝗮𝗯𝗶𝗹𝗶𝘁𝘆
The first Akira ransomware samples appeared as a Windows-only C++ payload that appended the “.akira” extension to encrypted files. Soon after, the operators released a Linux variant capable of targeting VMware ESXi infrastructures, which allowed them to disrupt virtualized workloads at scale.
As the campaign matured, the group introduced the so-called “Megazord” Rust-based encryptor, which marks files with a “.powerranges” extension. This variant improves portability and complicates static analysis, while still integrating with Akira’s broader tooling. Moreover, more recent incidents show Akira actors encrypting Nutanix AHV virtual disks after they exploit SonicWall vulnerabilities such as CVE-2024-40766 on perimeter devices.
Under the hood, Akira uses a hybrid encryption model that combines fast symmetric ciphers like ChaCha20 with asymmetric RSA keys for session-key protection. Consequently, defenders cannot rely on simple key reuse mistakes or trivial cryptographic weaknesses to recover data; mitigation depends on backups, segmentation, and incident-response discipline rather than decryption shortcuts.
𝗗𝗼𝘂𝗯𝗹𝗲 𝗲𝘅𝘁𝗼𝗿𝘁𝗶𝗼𝗻, 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝘁𝗵𝗲𝗳𝘁, 𝗮𝗻𝗱 𝗹𝗮𝘁𝗲𝗿𝗮𝗹 𝗺𝗼𝘃𝗲𝗺𝗲𝗻𝘁
Once inside a network, Akira operators behave like any mature ransomware crew. They enumerate the environment, escalate privileges, exfiltrate data, and only then trigger encryption.
They frequently create new domain accounts and abuse built-in tools such as PowerShell, WMIC, and PsExec to pivot laterally. At the same time, they deploy credential-theft utilities like Mimikatz and LaZagne to harvest cached credentials and tokens from memory. When they need persistence that blends into normal activity, they install remote-access tools such as AnyDesk or LogMeIn on servers and administrator workstations.
For data theft, Akira affiliates commonly use FileZilla, WinSCP, or Rclone to stage and push archives to external cloud storage. Before they drop the encryptor, they run PowerShell commands that remove Volume Shadow Copies and interfere with built-in recovery mechanisms.
Finally, the ransomware binary writes a ransom note such as “fn.txt” or “akira_readme.txt” into impacted directories. Each note includes a TOR-based negotiation URL and a unique identifier so the victim can prove control of the compromised environment. Payment demands usually arrive in Bitcoin, and the group threatens to publish stolen data publicly if negotiations fail.
𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗹𝗲𝘀𝘀𝗼𝗻𝘀 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗔𝗸𝗶𝗿𝗮 𝗰𝗮𝗺𝗽𝗮𝗶𝗴𝗻𝘀
Security teams can treat Akira ransomware as a stress test for their edge security and identity posture. If attackers repeatedly succeed through the same classes of weaknesses, the environment probably carries systemic risk, not just a single-device misconfiguration.
Organizations that rely heavily on VPN access for administrators or contractors should enforce strong MFA, strict device hygiene, and conditional-access controls. At the same time, they should harden Cisco, SonicWall, and similar perimeter devices with current firmware, restricted management exposure, and logging that forwards into SIEM or XDR platforms for correlation.
Because Akira operators live off the land, defenders gain value from behavioral analytics rather than signature hunting alone. Sudden surges in remote-desktop activity, abnormal use of tools like AnyDesk on servers, unplanned account creation, or large volumes of outbound data from unexpected systems all provide opportunities to spot an Akira intrusion before encryption fires.
𝘗𝘳𝘢𝘤𝘵𝘪𝘤𝘢𝘭 𝘥𝘦𝘧𝘦𝘯𝘴𝘦 𝘱𝘰𝘪𝘯𝘵𝘦𝘳𝘴 𝘧𝘰𝘳 𝘵𝘦𝘢𝘮𝘴 𝘧𝘢𝘤𝘪𝘯𝘨 𝘈𝘬𝘪𝘳𝘢 𝘳𝘢𝘯𝘴𝘰𝘮𝘸𝘢𝘳𝘦
Teams that want to reduce the likelihood and impact of an Akira ransomware event should start with fundamentals and then layer on threat-specific controls.
First, they should maintain offline, tested backups of critical workloads and ensure that backup infrastructure sits behind separate credentials and network paths. Additionally, they should review their remote-access surface, retire end-of-life VPN appliances, and close portals that no longer serve a business need.
Next, they should enforce least privilege across domain admins, service accounts, and privileged groups, because Akira affiliates actively search for over-provisioned identities and unmonitored administrative tools. Moreover, they should instrument high-value assets domain controllers, hypervisors, core application servers with robust logging and telemetry that feeds into centralized monitoring.
𝙁𝘼𝙌𝙨
Q: What makes Akira ransomware different from older families?
A: Akira combines a mature RaaS business model, multi-platform encryptors, and aggressive double-extortion tactics. Because affiliates focus on VPNs, edge devices, and identity weaknesses, they often bypass traditional email-centric defenses.
Q: Which organizations sit at highest risk from Akira?
A: Small and mid-sized organizations with exposed VPNs, legacy firewalls, inconsistent MFA, and flat internal networks face the most risk. However, large enterprises with unmanaged subsidiaries or legacy environments also present attractive targets.
Q: Does paying the ransom guarantee that data stays private?
A: No. Even if a victim pays and receives a decryption key, nothing prevents the threat actors from reselling or leaking the stolen data later. From a risk perspective, payment buys time and decryption assistance, not a binding guarantee of confidentiality.
Q: Where should defenders focus first if resources are limited?
A: They should prioritize closing remote-access gaps, enforcing MFA on administrative accounts, patching exposed edge devices, and validating backups. These steps reduce the likelihood of a catastrophic Akira intrusion more than any single “silver bullet” product.
Q: How should SOC teams adapt their detection content for Akira?
A: SOC teams should enrich detections around VPN logins, new domain accounts, suspicious use of remote-access tools, and bulk data transfers from servers that usually stay quiet. Additionally, they should monitor for tools such as Mimikatz, Rclone, and unexpected PowerShell-based shadow-copy deletions.
2 thoughts on “How Akira Ransomware Turned VPN Weaknesses Into a $244M”