Overview
Akira is a ransomware-as-a-service operation that emerged in March 2023 and rapidly became one of the most active operators in the threat landscape. In its first eighteen months of operation, the group claimed over 300 victims on its leak site — a pace that placed it consistently in the top five most prolific groups by victim volume. The group targets primarily SMBs and mid-market enterprises across English-speaking markets, with healthcare, education, manufacturing, and financial services accounting for the largest share of confirmed victims.
Akira’s defining tactical characteristic is systematic exploitation of VPN infrastructure — particularly Cisco ASA and Anyconnect appliances — to obtain initial access without phishing. Combined with an aggressive Linux/ESXi encryptor that targets virtualisation infrastructure, Akira intrusions can encrypt an organisation’s entire VM estate in hours from a single compromised VPN appliance.
Background and Attribution
Akira is widely assessed to be operated by individuals with prior affiliation to the Conti ransomware operation, based on code-level overlaps in early versions of the encryptor and shared operational patterns. The group is Russia-based or Russia-linked, consistent with its targeting patterns (no confirmed attacks against Russian-language organisations) and operational security tradecraft.
The group operates a professional affiliate programme with documented onboarding, support infrastructure, and a negotiation team. Affiliates receive 80% of ransom proceeds; the core team retains 20%. The affiliate model has enabled rapid scaling while maintaining operational security — most law enforcement actions against RaaS operations have targeted affiliates rather than core operators.
Initial Access: VPN Credential Abuse
Akira’s most consistent initial access vector is exploitation of VPN vulnerabilities, particularly in Cisco infrastructure:
CVE-2023-20269 (Cisco ASA/FTD VPN brute force) — A zero-day vulnerability in Cisco ASA and FTD software that allowed unauthenticated brute-force attacks against SSL VPN and clientless SSL VPN interfaces. CISA issued an advisory in September 2023 noting active exploitation by Akira, among others. Unpatched instances continued to be exploited through 2025.
CVE-2024-3400 (Palo Alto GlobalProtect) — Akira affiliates were among the first documented exploiters of this CVSS 10.0 command injection vulnerability in Palo Alto Networks GlobalProtect within days of its April 2024 disclosure.
Where credential-based initial access is used rather than vulnerability exploitation, Akira affiliates target organisations lacking MFA on VPN infrastructure — obtaining credentials through credential stealer logs, dark web purchases, or targeted phishing.
Toolkit and Post-Exploitation
Akira affiliates use primarily legitimate tools and living-off-the-land techniques in post-exploitation, consistent with the RaaS ecosystem norm of minimising custom malware exposure:
- Reconnaissance:
net.exe,nltest.exe,AdFind,SharpHound(BloodHound collector) - Credential access: Mimikatz,
secretsdump.py, LSASS memory dumping via Task Manager, VSS shadow copy theft - Lateral movement: RDP, WinRM, PsExec, legitimate remote administration tools (AnyDesk, Splashtop)
- Exfiltration: WinSCP, rclone (to Mega.nz), FileZilla — consistent with the double extortion model
- Data staging: 7-Zip archives prior to exfiltration
- Defence evasion: Termination of security products via Process Hacker, batch scripts to disable Windows Defender
Dwell time — the gap between initial access and ransomware deployment — varies significantly. Reported ranges in incident response engagements suggest 2 days to 3 weeks, with the shorter end observed in targeted ESXi attacks where the objective is mass encryption of virtualised infrastructure.
The Linux/ESXi Encryptor
Akira’s Linux encryptor, targeting VMware ESXi hypervisors, is among the group’s most operationally significant capabilities. ESXi hypervisors host large numbers of VMs — encrypting the hypervisor itself makes all hosted VMs simultaneously unrecoverable, maximising impact per encrypted system.
The ESXi encryptor:
- Targets
.vmdk,.vmx,.vmsn, and.vmemfiles — VM disk images, configuration files, snapshots, and memory files - Stops running VMs before encryption to ensure file handles are released
- Uses ChaCha20 for file encryption, with the key encrypted using RSA-4096
- Operates via the ESXi command line, executed after the attacker achieves SSH access to the hypervisor
ESXi environments are often under-monitored compared to Windows infrastructure — they may run older ESXi versions, have SSH enabled permanently, and lack EDR coverage. Akira affiliates consistently prioritise ESXi access once they have established a foothold in the network.
Akira ESXi attack path (observed pattern):
- VPN appliance compromise → credential harvest
- Pivot to management VLAN or jump host
- SSH brute force or credential reuse against ESXi host
- ESXi access → enumerate and stop VMs
- Execute Linux encryptor against VM datastore
Double Extortion and Negotiation
Akira operates a data leak site on Tor where victim data is published if negotiations fail or are not initiated. Exfiltrated data is staged before encryption and serves as the primary leverage point in negotiations — victims who restore from backup are still subject to data publication.
Ransom demands range from approximately $200,000 for smaller organisations to several million dollars for larger enterprises. Akira’s negotiation team is assessed as professional and responsive — initial demands are typically reduced 30-50% through negotiation for organisations that engage promptly. The group has published data for victims who did not pay and for those who publicly disputed the breach, consistent with standard double extortion practice.
Payment is in Bitcoin or Monero (Monero increasingly preferred for its traceability limitations).
Victim Profile
Akira disproportionately targets organisations with:
- Legacy or unpatched VPN infrastructure
- No MFA on remote access systems
- Limited SOC coverage or no 24/7 monitoring
- VMware ESXi hypervisors in the environment
- Backup infrastructure accessible from the main network (enabling backup destruction)
Sectors with the highest confirmed victim counts include healthcare (including hospitals and healthcare groups — Akira does not consistently exclude healthcare as some operators nominally do), manufacturing, education, legal, and financial services.
Geographically, the US accounts for approximately 60% of confirmed victims, with the UK, Canada, Australia, and Germany each representing 5-10%.
Indicators of Compromise
Akira’s encryptor appends .akira to encrypted files and drops a ransom note named akira_readme.txt. The Linux ESXi encryptor uses .akira extension on encrypted VM files.
Known Akira-linked infrastructure has used VPN exit nodes and bulletproof hosting providers to route exfiltration traffic. Rclone traffic to Mega.nz is a consistent exfiltration indicator; WinSCP and FileZilla sessions to attacker-controlled SFTP servers have also been observed.
YARA rule (Akira Windows encryptor characteristic):
rule Akira_Ransomware_Windows {
meta:
description = "Akira ransomware Windows encryptor"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"
strings:
$ransom_note = "akira_readme.txt" ascii nocase
$extension = ".akira" ascii
$mutex = "Global\\AkiraRansomware" ascii wide
$pdb = "akira" ascii nocase
condition:
uint16(0) == 0x5A4D and 2 of ($ransom_note, $extension, $mutex, $pdb)
}
Defensive Priorities
Given Akira’s consistent TTPs, the highest-return defensive measures are:
Patch VPN appliances immediately. Akira’s initial access overwhelmingly comes through known VPN vulnerabilities. Maintaining a sub-48-hour patch SLA for internet-facing network appliances closes the primary entry point.
Enforce MFA on all remote access. Credential-based VPN access without MFA is the fallback initial access method. MFA eliminates purchased or stolen credential packages as a viable vector.
Segment and monitor ESXi management access. ESXi hosts should not be SSH-accessible from workstations or general corporate networks. SSH access should require a dedicated jump host, and all SSH sessions to ESXi should be logged and alerted on.
Back up to immutable, offline, or separate-credentials storage. Akira affiliates actively seek and encrypt or delete backup infrastructure. Backups that share network access or credentials with production systems will be targeted.
Deploy EDR on Windows servers. The post-exploitation toolkit is largely living-off-the-land — detectable by behavioural EDR. LSASS credential dumping, bulk archive creation, and large-volume network transfers to cloud storage are all detectable signatures.
CISA published a joint advisory on Akira (AA24-109A) in April 2024. The TTPs documented in that advisory remain consistent with current affiliate activity — the advisory is worth reviewing for the full IOC and detection guidance set.