Akira is a double-extortion ransomware operation active since March 2023 and one of the most profitable groups in the current RaaS ecosystem. The group has focused its operations on mid-sized and large organizations across sectors such as manufacturing, healthcare, education, financial services, and MSPs.
Unlike other groups that rely on a single access vector, Akira combines multiple methods: stolen credentials, password spraying, exploitation of exposed VPNs, RDP access, and abuse of remote administration tools. The group also stands out for its rapid adaptation to new virtualized environments, including VMware ESXi, Hyper-V, and more recently Nutanix AHV.
It operates under a RaaS (Ransomware-as-a-Service) model, allowing different affiliates to use the locker and leak infrastructure in exchange for a revenue share. Since its emergence, authorities estimate that Akira has obtained more than $244 million in ransom payments.
Chronology and Evolution
- March 2023: Akira publicly emerged targeting Windows and Linux environments.
- Late 2023: dedicated lockers for VMware ESXi environments began to appear.
- 2024: the group adopted Rust-based variants and the family commonly referred to as Megazord, designed for virtualized infrastructures.
- 2025: campaigns increasingly focused on Nutanix AHV and enterprise hypervisors.
This evolution shows that Akira is no longer focused only on traditional endpoints and is increasingly attempting to maximize impact by encrypting complete virtualization and backup infrastructures.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | VPN without MFA, SonicWall SSL VPN, exposed RDP, stolen credentials, password spraying |
| Reconnaissance | Enumeration of SMB shares, hypervisor discovery, domain controllers, and backup servers |
| Credential Access | Credential theft, valid account abuse, credential extraction from LSASS |
| Lateral Movement | PsExec, SMB, RDP, AnyDesk, Atera, ScreenConnect |
| Exfiltration | Pre-encryption exfiltration through Rclone, WinSCP, MEGA, or cloud tools |
| Persistence | RMM installation, creation of administrative accounts, persistent VPN access |
| Anti-recovery | Deletion of Shadow Copies, Defender disabling, and backup destruction |
| Impact | ChaCha8 / ChaCha20 + RSA encryption across Windows, Linux, ESXi, Hyper-V, and Nutanix AHV |
Initial Access
The most frequent vector in Akira remains access through compromised valid credentials. The group particularly exploits internet-exposed VPN services without MFA, SonicWall SSL VPN, RDP access, and reused credentials obtained from previous leaks.
In recent campaigns, Akira has been linked to exploitation of vulnerable SonicWall SSL VPN devices and CVE-2024-40766, as well as attacks against infrastructures with poorly segmented or unprotected remote access.
Recent investigations have also linked Akira to:
- CVE-2023-20269 affecting Cisco ASA and Cisco FTD devices
- CVE-2024-37085 associated with VMware ESXi environments
- Password spraying against VPN portals, authentication services, and exposed domain controllers
The group also uses password spraying against VPN services, web authentication portals, and exposed domain controllers.
Credential Access
Once inside, Akira attempts to consolidate access through credential extraction from LSASS, use of existing administrative accounts, and theft of credentials stored in browsers, VPN clients, or RMM tools.
Across multiple incidents, researchers have observed the use of tools such as Mimikatz, LaZagne, ProcDump, PowerShell, and legitimate RMM tools such as AnyDesk, Atera, and ScreenConnect.
Researchers have also documented the use of SharpHound to map privileged relationships inside Active Directory and identify fast paths toward Domain Admin privileges.
With Domain Admin credentials, the group quickly pivots toward domain controllers, SMB shares, NAS devices, backup systems, and virtualization platforms.
Persistence and Evasion
Akira often installs legitimate remote access tools to maintain persistence even if the main malware is removed. The most common ones include AnyDesk, Atera, ScreenConnect, TeamViewer, and Remote Utilities.
Creation of new administrative accounts, GPO modification, and changes to Windows Defender have also been documented to reduce detection capability. In several incidents, operators used PowerShell to disable Microsoft Defender and manipulate exclusion policies.
Akira also commonly creates scheduled tasks, services, and legitimate-looking process names to evade detection and remain active after system reboots.
Lateral Movement
Lateral movement is mainly carried out through SMB, PsExec, PaExec, RDP, PowerShell Remoting, Windows administrative tools, and reused Domain Admin credentials.
Akira gives special priority to virtualized environments because they allow maximum impact. Once ESXi, Hyper-V, or Nutanix AHV hosts are located, attackers deploy dedicated lockers to encrypt multiple virtual machines at once.
Recent campaigns show a growing interest in vulnerable VMware infrastructures, especially where reused credentials or weaknesses such as CVE-2024-37085 facilitate access to ESXi hosts.
Exfiltration
Akira exfiltrates data before encryption to apply double extortion. Stolen data includes databases, contracts, financial information, customer data, healthcare records, internal documents, and email copies.
The most observed tools for exfiltration are Rclone, WinSCP, FileZilla, MEGA, and attacker-controlled cloud services. If the victim does not pay, Akira publishes the stolen information on its leak portal hosted on Tor.
Impact and Destruction
Before encryption, Akira removes recovery mechanisms to make restoration significantly more difficult. Operators commonly use commands such as vssadmin delete shadows, wmic shadowcopy delete, and bcdedit /set {default} recoveryenabled no to delete Shadow Copies and disable recovery options. In many cases, they also disable Microsoft Defender, remove Veeam backups, destroy backup shares accessible through SMB, and delete virtualization snapshots and checkpoints.
The ransomware mainly uses ChaCha8 or ChaCha20 together with RSA to protect the encryption key.
Windows variants usually append the .akira extension and create the ransom note akira_readme.txt. ESXi, Hyper-V, and Nutanix AHV variants directly encrypt virtual disks and associated storage, maximizing operational impact with a single execution.
Common visual indicators in Akira incidents include files renamed with the .akira extension, the presence of the akira_readme.txt ransom note, inaccessible SMB shares, virtual machines that are shut down or unavailable, deleted snapshots and backups, and suspicious services installed to maintain persistence.
Sources
- CISA Advisory — Akira Ransomware
- FBI Flash Alert — Akira Ransomware Group
- Cisco Talos — Akira Operations
- Arctic Wolf — Akira Ransomware Intrusion Analysis
- SentinelOne Anthology — Akira
- Sophos — Akira Again: The Ransomware That Keeps on Taking
Target Sectors
Sectors in which the Akira group has concentrated its attacks.
Akira frequently targets industrial companies due to their high dependency on operational continuity, the coexistence of legacy systems, and the immediate economic impact when production servers or ERPs are encrypted.
Hospitals, labs, and healthcare providers are priority targets due to the sensitivity of data, regulatory pressure, and low tolerance for downtime.
Educational institutions typically have a high number of users, limited resources, and a heavy reliance on remote access, making them vulnerable to credential-based attacks and password spraying.
Akira targets financial organizations for the value of their data, regulatory pressure, and the need to recover operations quickly after an incident.
Managed service providers, consultants, and technology companies are especially attractive because a single compromise can provide access to multiple clients.
Law firms, consultancies, and audit companies handle sensitive data from many clients, increasing the value of extortion and reputational risk.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
Detects multiple failed VPN authentication attempts from the same IP address in a short time window.
event.login.loginIsSuccessful == false
AND src.endpoint.ip.address != null
| group Attempts = count() by src.endpoint.ip.address, event.login.userName
| filter Attempts >= 10Detects execution of AnyDesk, a tool frequently used by Akira for persistence and remote access.
event.type = "Process Creation"
AND (
tgt.process.name in ("AnyDesk.exe", "AnyDeskMSI.exe")
OR tgt.process.publisher contains:anycase "AnyDesk Software GmbH"
)Detects installation or execution of AteraAgent as a persistence mechanism.
event.type = "Process Creation"
AND (
tgt.process.publisher contains:anycase "Atera Networks Ltd"
OR tgt.process.name = "AteraAgent.exe"
OR (
tgt.process.name = "msiexec.exe"
AND tgt.process.cmdline contains:anycase "AteraAgent"
)
)Detects the use of PsExec and PaExec for lateral propagation.
event.type = "Process Creation"
AND tgt.process.name in ("psexec.exe", "paexec.exe", "psexesvc.exe")Detects PowerShell commands used to disable Microsoft Defender.
event.type = "Process Creation"
AND tgt.process.name in ("powershell.exe", "pwsh.exe")
AND (
tgt.process.cmdline contains:anycase "Set-MpPreference"
OR tgt.process.cmdline contains:anycase "DisableRealtimeMonitoring"
)Detects deletion of Shadow Copies using vssadmin, wmic, or bcdedit.
event.type = "Process Creation"
AND (
tgt.process.cmdline contains:anycase "vssadmin delete shadows"
OR tgt.process.cmdline contains:anycase "wmic shadowcopy delete"
OR tgt.process.cmdline contains:anycase "bcdedit /set {default} recoveryenabled no"
)Detects creation of the ransom note akira_readme.txt.
event.type = "File Creation"
AND tgt.file.path contains:anycase "akira_readme.txt"Detects encrypted files with the .akira extension.
event.type = "File Creation"
AND tgt.file.path endswith ".akira"Detects SSH connections to ESXi hypervisors.
event.type = "Network Connection"
AND dst.port.number = 22
AND (
dst.endpoint.name contains:anycase "esxi"
OR dst.process.name contains:anycase "esxi"
)Detects suspicious access to Veeam-related services and processes.
event.type = "Process Creation"
AND (
tgt.process.name contains:anycase "veeam"
OR tgt.process.cmdline contains:anycase "Veeam"
)