Skip to content
The Akira ransomware group emerged in early 2023 and has quickly become one of the more active and disruptive ransomware operations. Operating under a ransomware-as-a-service (RaaS) model, Akira targets small to medium-sized organizations as well as large enterprises, with a strong focus on sectors such as manufacturing, education, healthcare, and professional services. The group is known for its speed, often moving from initial access to data encryption within hours.
Akira employs double extortion techniques, exfiltrating sensitive data before encrypting systems and threatening to leak stolen information on its dark web site if ransom demands are not met. Initial access is commonly gained through compromised VPN credentials, unpatched vulnerabilities, and exposed remote access services, followed by the use of legitimate administrative tools to move laterally and evade detection.
Recently, a joint cybersecurity advisory issued by CISA, the FBI, and international partners highlighted Akira’s ongoing activity and tactics, techniques, and procedures (TTPs). The advisory warned organizations about Akira’s exploitation of weak authentication, lack of MFA on VPNs, and insufficient network segmentation, and urged defenders to improve credential hygiene, apply timely patching, and enhance monitoring for signs of lateral movement and data exfiltration. The alert underscores Akira’s continued relevance and the persistent risk it poses to organizations with inadequate security controls.