Akira Ransomware Group: The New Face of Ransomware

When Stanford University and a large automotive company fell victim to an Akira ransomware attack, it became clear that the Akira ransomware group was no ordinary threat. In just over a year since its emergence, this group has evolved into a global ransomware threat operating at considerable scale. Unlike the old, monolithic ransomware cartels, Akira combines retro branding with lean, startup-like operations to maximize impact. Security teams worldwide are now scrambling to understand this new face of ransomware and how to stop it.

Akira ransomware group first appeared at the start of 2023. Operating as a ransomware-as-a-service (RaaS) operation, Akira's affiliates launched a wave of attacks (over 250 in its first year) netting approximately $42 million in ransom payments. The gang employs double extortion methodology: malware to encrypt files, coupled with a Tor leak site to publish stolen data if victims don't pay.

Akira's leak portal is styled like a bare-bones command-line interface from the 1980s, complete with a news section to threaten victims and a leaks section for dumped data. Initially targeting Windows systems, Akira soon expanded to Linux and even VMware ESXi servers. Essentially a cross-platform, modular ransomware design that lets it hit different IT environments.

The name "Akira" comes from a 1988 cyberpunk anime film, representing an unstoppable and disruptive force. Their leak site reflects this theme with a retro ransomware design, featuring a text only command line interface that looks like something straight out of the 1980s. This old school style is a deliberate part of their branding, giving them a cool yet intimidating image. The vintage hacker look may feel nostalgic, but it also clearly signals that they are serious.

Akira's ransomware targets both Windows and Linux/VMware environments.

Affiliates typically breach a network through phishing or by exploiting an unpatched VPN/server vulnerability. Once inside, they work to gain higher privileges and map out the network with built in tools, while simultaneously disabling defenses (killing antivirus, shutting off Microsoft Defender, and deleting shadow backups) to evade detection.

Akira's malware payload is ransomware with a range of configurable features. It uses strong encryption, and affiliates can configure which data to encrypt or omit via built in options. Meanwhile, they steal large amounts of data to use as leverage for extortion.

Unlike big game ransomware crews that chase Fortune 500 companies, Akira often goes after the vulnerable middle, mid-market firms, schools, local governments, and other SMBs. Small and mid-size businesses are attractive targets because they have valuable data but often lack strong security. For example, Akira has extorted a city government and a university. These are not random victims; the group appears to single out organizations likely to pay but unable to mount a solid defense.

Akira's operation generally runs like a lean startup. It's a decentralized outfit with a tiny core team and many affiliates (contractors) doing tasks like malware development, intrusion, and victim negotiations.

This RaaS model makes the barrier to entry lower. Even less skilled cybercriminals can participate in big league attacks, and it makes it harder for law enforcement to shut down the operation.

Akira also shows a startup-like mentality. When a vulnerability in their code became public (enabling a free decryptor to be created), Akira's developers patched the malware to close the loophole.

The group isn't shy about self-promotion either. It publicizes new victims on its leak site to intimidate other targets. This common but harsh approach shows how decentralized hacking groups like Akira now operate more like businesses, evolving quickly and branding themselves to stand out within cybercrime networks.

Akira isn't driven by any political or ideological cause; its sole focus is profit.

The group has made no statements of alignment with nation states or hacktivist movements. This lack of declared ideology makes Akira an interesting threat, willing to attack any target in any country if the payday is big enough. And that, ironically, makes them even more dangerous on a global scale.

With no political rules of engagement or target restrictions, unpredictability is their calling card. In the past two years, Akira has hit entities from North America to Europe to Asia, including critical infrastructure and educational systems, causing wide disruptions.

An attack on a school district can halt classes; an attack on a regional hospital can put lives at risk, all without the group caring about any cause beyond ransom. This apolitical stance hasn't spared Akira from international scrutiny, however.

Global law enforcement and cybersecurity agencies have taken notice.

The FBI, CISA, Europol, and others released a joint advisory regarding Akira's strategies in April 2024. Governments recognize that organizations like Akira can pose a cross-border threat to public safety and the economy even in the absence of nation-state support.

The future of ransomware is likely to be lean, branded, and globally mobile. We will see more groups like Akira: agile RaaS franchises that pop up, rebrand, and pivot quickly, more akin to tech startups than traditional crime syndicates. For cybersecurity professionals, this means traditional defense postures need updating.

In practical terms, security teams should emphasize behavior-based detection (catching anomalies like large data exfiltration or unusual admin tool usage) and zero-trust principles that limit how far an intruder can get.

The ransomware global ecosystem has become incredibly interconnected, with initial access brokers, RaaS kits, and affiliate recruiters, meaning that any one organization could be targeted through vectors they don't even directly control. The usage of threat intelligence and collaboration across industries will be needed to keep pace with these groups.

No organization is completely helpless; there are concrete steps to strengthen your Akira ransomware mitigation posture.

• Harden Access Points. Activate multi factor authentication (MFA) on all VPNs, email, and remote access services, and quickly address vulnerabilities. Akira frequently exploits VPN systems without MFA and other unpatched gateways to gain entry.

• Segment and Back Up Data. Use segmentation to contain the spread of malware and maintain offline backups of systems. Akira's encryption and deletion of shadow copies cannot defeat you if your data is safely backed up elsewhere.

• Security Awareness Training. Teach staff to recognize phishing and other psychological cyber tactics. A lot of Akira ransomware attack incidents start with a well-made phishing email or a stolen password.

• Third Party Risk Management. Vet the security of your vendors and partners. Akira and other gangs have leveraged breaches of IT service providers to attack dozens of client organizations at once.

• Incident Response. Simulate ransomware scenarios so your team is ready to react if an attack occurs. Create incident response playbooks and practice isolating infected systems, communicating with stakeholders, and even negotiating if it comes to that.

Stay ahead of ransomware threats like Akira. Find out how BlackFog's anti data exfiltration technology can protect your organization against cyberthreats today.