{
	"id": "75dcd3b9-f604-4a6d-a2d3-e73956ac95fd",
	"created_at": "2026-04-06T00:07:37.34333Z",
	"updated_at": "2026-04-10T13:12:14.931018Z",
	"deleted_at": null,
	"sha1_hash": "751428c5280460734c421378f46b9ad4edb5999d",
	"title": "Threat Assessment: Howling Scorpius (Akira Ransomware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1806014,
	"plain_text": "Threat Assessment: Howling Scorpius (Akira Ransomware)\r\nBy Yoav Zemah\r\nPublished: 2024-12-02 · Archived: 2026-04-05 18:27:55 UTC\r\nExecutive Summary\r\nEmerging in early 2023, the Howling Scorpius ransomware group is the entity behind the Akira ransomware-as-a-service (RaaS), which has consistently ranked in recent months among the top five most active ransomware\r\ngroups. Its double extortion strategy significantly amplifies the threat it poses. Unit 42 researchers have been\r\nmonitoring the Howling Scorpius ransomware group over the past year.\r\nHowling Scorpius targets small to medium-sized businesses in North America, Europe and Australia, across\r\nvarious sectors. Affected industries include education, consulting, government, manufacturing,\r\ntelecommunications, technology and pharmaceuticals.\r\nOur research reveals that Howling Scorpius maintains and operates encryptors for Windows and Linux operating\r\nsystems. We identified variants specifically designed for ESXi hosts. In addition, our findings have shown that this\r\ngroup is actively upgrading and enhancing its tool set, thus posing a greater risk for organizations.\r\nPalo Alto Networks customers are better protected against Akira ransomware from the Howling Scorpius\r\nransomware group through the following products and services:\r\nCortex XDR and XSIAM\r\nCloud-Delivered Security Services for the Next-Generation Firewall, such as Advanced WildFire\r\nCortex Xpanse\r\nThe Unit 42 Incident Response team has responded to several Howling Scorpius ransomware incidents since the\r\ngroup first emerged in 2023. If you think you might have been compromised or have an urgent matter, contact the\r\nUnit 42 Incident Response team.\r\nHowling Scorpius Overview\r\nFirst observed in March 2023 [PDF], Akira is a RaaS group we track as Howling Scorpius. This group employs a\r\ndouble extortion strategy, exfiltrating critical data from a network before executing its encryption process. This\r\ndouble extortion tactic allows the group to leak stolen data even if victims recover their systems without paying,\r\nmaximizing the pressure to comply.\r\nHowling Scorpius operates a Tor-based leak site for Akira ransomware. The group uses the site to list victims and\r\nexfiltrate stolen data if they refuse to comply with ransom demands.\r\nThe Akira leak site has a retro-green look. Howling Scorpius also operates a separate Tor-based negotiation site,\r\nwhich victims can access using a dedicated password provided by the group. Figure 1 shows a screenshot of the\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 1 of 22\n\nAkira ransomware leak site.\r\nFigure 1. Screenshot of the Akira Ransomware leak site in a Tor browser, from November 2024.\r\nThe Akira ransomware leak site displays a text-based console with a list of commands. The leaks command\r\nreturns a list of victims who did not pay and includes links to download .torrent files. Viewers can then use these\r\n.torrent files to download the released data for those victims who did not pay their ransom.\r\nThis console also includes a news command that lists all compromised companies that it says date back as far as\r\nApril 2023. The site describes the news command as “upcoming data releases,” and the results end with the most\r\nrecent victims.\r\nThe group primarily targets small to medium-sized businesses across various regions and industries.\r\nTargeted Regions\r\nWhile Howling Scorpius has targeted organizations globally since 2023, the U.S. has emerged as the most affected\r\ncountry, according to Akira leak site data. Figure 2 highlights the top 10 affected countries based on this leak site\r\ndata from March 2023-October 2024.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 2 of 22\n\nFigure 2. A column chart showing the countries impacted by Howling Scorpius from March 2023-\r\nOctober 2024.\r\nTargeted Industries\r\nAkira leak site data shows the group has impacted several industries, including manufacturing, professional and\r\nlegal services, wholesale, retail and construction. Figure 3 shows the top 10 industries affected by this ransomware\r\nfrom March 2023-October 2024.\r\nFigure 3. The distribution of the top 10 sectors affected by Howling Scorpius from March 2023-\r\nOctober 2024.\r\nTechnical Analysis of the Akira Ransomware Attack Lifecycle\r\nBelow is a technical analysis of Howling Scorpius operations mapped to the different stages of a cyberattack’s\r\nlifecycle.\r\nInitial Access\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 3 of 22\n\nHowling Scorpius affiliates employ various methods to gain initial access to organizations. These include\r\nexploiting vulnerable virtual private network (VPN) services that lack multi-factor authentication (MFA) using\r\nvalid accounts, often purchased through initial access brokers on the dark web.\r\nAffiliates also target external-facing services like Remote Desktop Protocol (RDP), and they conduct spear\r\nphishing campaigns.\r\nFigure 4 shows an alert raised by Cortex XDR for an example of a remote service creation. This specific alert\r\ninvolves using a service component of PsExec named PSEXESVC.exe to run a process from a remote system.\r\nFigure 4. Cortex XDR alert for remote service creation from an uncommon source.\r\nThe security community has documented Howling Scorpius exploiting vulnerabilities in Cisco products, such as\r\nCVE-2020-3259 and CVE-2023-20269.\r\nCredentials Access\r\nLocal Credential Access Techniques\r\nHowling Scorpius affiliates employ various credential access techniques to extract credentials for privilege\r\nescalation. Mimikatz and LaZagne are their primary tools.\r\nAffiliates also often create a MiniDump of the LSASS process memory leveraging comsvcs.dll. Figure 5 shows an\r\nexample of Cortex XDR detecting an example of comsvcs.dll used for this type of memory dump.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 4 of 22\n\nFigure 5. Cortex XDR detection alert of comsvcs.dll MiniDump of LSASS.\r\nKereberoasting\r\nHowling Scorpius affiliates employ the Kerberoasting attack to achieve control over service accounts and exploit\r\ncredentials stored in memory.\r\nExtracting Credentials for Domain Control\r\nThe group’s affiliates focus on extracting credentials from the Active Directory database to pursue comprehensive\r\ndomain control. They copy the SYSTEM registry hive and NTDS.dit file from the domain controller (DC) to\r\nobtain a complete listing of user accounts and their corresponding domain password hashes.\r\nExploiting Compromised vCenter Instances\r\nIn cases where affiliates compromise a vCenter instance, they will perform the following activities:\r\nShutting down the DC's virtual machine (VM)\r\nCopying the DC's Virtual Machine Disk (VMDK) files to another VM they created beforehand\r\nExtracting the NTDT.dit and SYSTEM registry hive files (as reported by Rewterz)\r\nPersistence\r\nHowling Scorpius affiliates created new domain accounts to establish persistence. These accounts give these\r\naffiliates another form of access that does not require them to deploy tools or malware on the targeted systems. In\r\naddition, CISA reported [PDF] that the affiliates created new administrative domain accounts named itadm.\r\nDiscovery and Lateral Movement\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 5 of 22\n\nHowling Scorpius affiliates' lateral movement within compromised networks primarily involves exploiting remote\r\nservices such as Remote Desktop Procol (RDP) and Server Message Block (SMB). The group also employs\r\nremote service creation and Windows Management Instrumentation (WMI) to further its reach.\r\nThese affiliates use network scanning tools like NetScan and Advanced IP Scanner to map the network and\r\nidentify potential critical assets in the targeted organization for lateral movement. They also execute PowerShell\r\nand Windows Net Commands to query Active Directory for information on additional users and administrators.\r\nDefense Evasion\r\nBring Your Own Driver\r\nHowling Scorpius affiliates use tools that abuse the Zemana antimalware driver to terminate antimalware-related\r\nprocesses. Figure 6 below shows information from an alert raised in Cortex XDR for attempting to create the\r\nmalicious Zemana driver.\r\nFigure 6. Cortex XDR alert for the attempt to use the Zemana antimalware driver.\r\nAnti Virus Disablement\r\nAffiliates have also tried to disable Windows Defender Real-Time Protection using PowerShell, and they tried to\r\nuninstall the EDR agents installed on infected systems.\r\nBring Your Own VM\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 6 of 22\n\nAffiliates sometimes create their own VMs. Within these VMs, they disable security tools. They then mount the\r\nhypervisor host's storage drives onto the VM, shutting down any processes using those files to unlock running VM\r\nfiles. After successfully mounting the drives and unlocking all targeted files, they execute the ransomware within\r\nthe new VM (as reported by CyberCX), bypassing the host's security tools.\r\nExfiltration\r\nHowling Scorpius affiliates usually exfiltrate data from compromised hosts using WinRAR and a combination of\r\nWinSCP, RClone and FileZilla, through the File Transfer Protocol (FTP). Below is an example of a data\r\nexfiltration attempt we observed:\r\n\"C:\\Program Files\\WinRAR\\WinRAR.exe\" a -ep1 -scul -r0 -iext -imon1 -- . \"[REDACTED]\\Company\\\r\n[REDACTED]\" [REDACTED]\\Company\\HR \"[REDACTED]\\Company\\Human Resources Management\r\n- HR\"\r\nAkira Ransomware Encryptors\r\nThis section details the different encryptors for Akira ransomware that Howling Scorpius uses for Windows and\r\nLinux operating systems.\r\nRansom Note\r\nUpon successful encryption, Akira ransomware encryptors create a ransom note named akira_readme.txt that\r\nprovides victims instructions for how to interact with the group. This file includes links to both the leak site and\r\nthe negotiation site.\r\nThe file also contains a unique code that victims must enter on the negotiation site to facilitate communication\r\nwith the attackers and potential ransom discussions. Figure 7 shows an example of the akira_readme.txt file.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 7 of 22\n\nFigure 7. An example of the akira_readme.txt file content.\r\nWindows Variant\r\nExecution\r\nUpon execution, the Windows variant of the Akira ransomware encryptor will attempt to delete shadow copies\r\nusing the following PowerShell command:\r\npowershell.exe -Command \"Get-WmiObject Win32_Shadowcopy | Remove-WmiObject\"\r\nCommand-Line Arguments\r\nThe Windows variant of the Akira ransomware encryptor uses the following command-line arguments:\r\n-p\\--encryption_path – Contains the root directory of the encryption process\r\n-s\\--share_file – Contains the targeted network drive path\r\n-n\\--encryption_percent – Controls the amount of data to be encrypted within each file\r\n--fork – Creates a child process for the encryption process\r\n-l – Writes the list of drives into the log file\r\n-localonly – Prevents the encryption of remote drives\r\n-e/–exclude – Contains files to exclude from the encryption process\r\nFigure 8 below shows the Windows encryptor for the Akira ransomware detected and prevented by Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 8 of 22\n\nFigure 8. Windows encryptor for Akira ransomware detected by Cortex XDR.\r\nEncryption\r\nAkira ransomware’s Windows variant uses a hybrid approach to encrypt data. It encrypts the content of the files\r\nusing the ChaCha20 algorithm.\r\nThe threat then encrypts the ChaCha20 key using a hard-coded RSA public key. The encryptor supports full and\r\npartial encryption, controlled through the aforementioned command-line parameter.\r\nAvast published a decryptor in June 2023 exploiting a vulnerability in Akira's encryption scheme. However,\r\nCyberCX found a sample in VirusTotal that revealed that Howling Scorpius had patched this vulnerability within\r\nthree days of its public disclosure.\r\nIn February 2024, we identified updates in the Howling Scorpius codebase. These updates included implementing\r\nsupport for the KCipher2 algorithm alongside ChaCha20. Encrypted files would use the .akira extension.\r\nThe list of the targeted file extensions and excluded directories the Howling Scorpius Windows encryptor uses can\r\nbe found in Appendix A.\r\nThe Megazord Variant\r\nIn August 2023, a new strain of ransomware called Megazord appeared. This strain, written in Rust, has a ransom\r\nnote with content similar to that of Akira ransomware and points to the same negotiation site. This indicates\r\nHowling Scorpius is also the same group behind Megazord.\r\nBesides being written in Rust, Megazord variants differ from Akira encryptors by the following characteristics:\r\nUsing a different file extension for encrypted files – .powerranges\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 9 of 22\n\nUsing a different name for the ransom note – powerranges.txt\r\nIn addition, Megazord encryptors execute several commands to terminate and stop a list of services and processes\r\nthat could affect the encryption process. For the complete list of commands executed by Megazord encryptors,\r\nplease view Appendix B.\r\nThe Megazord strain has a new layer of protection, requiring a password as an execution condition (defined by the\r\n–id command-line argument). Figure 9 demonstrates how Cortex XDR detects and prevents Megazord.\r\nFigure 9. Megazord encryptor detected by Cortex XDR.\r\nUpdated Version\r\nWhile looking for additional Megazord encryptors, we came across two samples that were compiled in March\r\n2024, which had two new command-line arguments affecting the execution flow of the encryptor. The command-line argument –proc allows the attackers to turn off the termination of processes and services, and the –dirs\r\ncommand-line argument allows the attackers to ignore blocklisted directories.\r\nFigure 10 shows the updated help menu from a Megazord sample.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 10 of 22\n\nFigure 10. Megazord variant help menu.\r\nThe Possibility of Different Operators Sharing the Megazord Ransomware\r\nAnother unique sample we found differs primarily by its ransom note. This new ransom note raises the possibility\r\nthat Megazord might not be exclusive to Howling Scorpius, although we cannot confirm this yet.\r\nThe new ransom note contains distinct language and a different means of communicating via Telegram, which\r\nhints at the involvement of a different threat actor. Figure 11 shows the new ransom note.\r\nFigure 11. The new Megazord ransom note.\r\nLinux/ESXi Variant\r\nBased on the internal strings and naming conventions we observed in the Linux/ESXi variants of Akira\r\nransomware, we assess that these samples were initially designed to run on ESXi systems. Some samples we\r\nencountered executed ESXCLI commands, strengthening our assessment. Figure 12 shows an example of an\r\ninternal string found in one of the Linux/ESXi variants.\r\nFigure 12. An example of an internal string of Linux/ESXi samples.\r\nExecution\r\nIn some of the Akira Linux variants we have encountered, attackers changed the syslog logs directory to /tmp. It’s\r\nlikely they did this to disable logging and disable the Core Dump file using the following ESXCLI commands:\r\n/bin/sh -c 'esxcli system syslog config set --logdir=/tmp'\r\n/bin/sh -c 'esxcli system syslog reload'\r\n/bin/sh -c 'esxcli system coredump file set --unconfigure'\r\nCommand-Line Arguments\r\nThe Linux/ESXi variant of the Akira ransomware encryptor uses the following command-line arguments:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 11 of 22\n\n-p\\--encryption_path – Specifies the root directory of the encryption process\r\n-s\\--share_file – Specifies the targeted network drive path\r\n-n\\--encryption_percent – Controls the amount of data to be encrypted within each file\r\n--fork – Creates a child process for the encryption process\r\nFigure 13 demonstrates the detection and prevention of the Linux/ESXi variant by Cortex XDR.\r\nFigure 13. Howling Scorpius Linux/ESXi encryptor detected by Cortex XDR.\r\nEncryption\r\nAkira ransomware's Linux/ESXi variant uses a hybrid encryption approach to lock data, the same as its Windows\r\nvariant. The Linux/ESXi variant encrypts the symmetric key used to encrypt the content of the targeted files with\r\nan embedded RSA public key.\r\nThis variant uses several symmetric encryption algorithms for the targeted file encryption, such as AES,\r\nCAMELLIA, DES and IDEA. Like the Windows version, this variant supports full and partial encryption\r\ncontrolled through the aforementioned command-line parameters.\r\nThe list of targeted file extensions and excluded directories by Akira ransomware's Linux/ESXi encryptor can be\r\nfound in Appendix C.\r\nAkira v2\r\nIn April 2024, CISA's #StopRansomware efforts [PDF] revealed a new variant of the Akira ransomware's\r\nLinux/ESXi encryptor called Akira_v2. This Rust-based variant introduces a new command-line argument set and\r\nexpanded capabilities.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 12 of 22\n\nLike Megazord, Akira_v2 also adds a new layer of protection by requesting a password using the –id argument as\r\na run condition. In addition, by using the --vmonly argument, Akira_v2 adds the ability to encrypt VM files only.\r\nFigure 14 shows the help menu unique to this variant.\r\nFigure 14. Akira_v2 help menu.\r\nThis variant targets the following file extensions:\r\n.vmdk\r\n.vmem\r\n.vmx\r\n.log\r\n.vswp\r\n.vmsd\r\n.vmsn\r\nBy using the –stopvm argument, the variant adds the ability to turn off running VMs. It does so by executing the\r\nfollowing command:\r\nvim-cmd vmsvc/getallvms | tail -n +2 | awk '{system(\"vim-cmd vmsvc/power.off \" $1)}'.\r\nAlso, Akira_v2 uses yet another ransom note file, named akiranew.txt, which still points to the same negotiation\r\nsite used for the original version of Akira ransomware. Akira_v2 also changes the extension added to encrypted\r\nfiles to .akiranew.\r\nFigure 15 demonstrates how Cortex XDR detects and prevents the Akira_v2 variant.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 13 of 22\n\nFigure 15. Howling Scorpius’s Akira_v2 encryptor detected by Cortex XDR.\r\nConclusion\r\nThis threat assessment demonstrates how Akira ransomware operates, solidifying Howling Scorpius' position\r\namong the top five most active ransomware groups despite its relatively recent emergence. The group’s developers\r\nand affiliates appear to be actively developing new strains and capabilities, as well as making ongoing changes to\r\nthe toolkit, which contributes to the persistence and prevalence of the ransomware.\r\nWe showed how the group used different ransomware variants in tandem, its infection vectors and activity within\r\nan infected organization. This group's recent focus on virtualization hosts to affect more endpoints and circumvent\r\nsecurity measures means organizations should take the threat seriously and prepare against it.\r\nPalo Alto Networks Protection and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies known samples as\r\nmalicious.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malware and also prevent the execution of unknown malware using\r\nBehavioral Threat Protection and machine learning based on the Local Analysis module.\r\nAnti-Ransomware Module: It can target encryption-based activities associated with\r\nransomware. It can analyze and halt ransomware activity before data loss occurs, providing\r\nproactive protection against the threat discussed in this article.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics through\r\nCortex XDR Pro and XSIAM.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 14 of 22\n\nCortex Xpanse can detect internet-exposed RDP servers and VPN services that have been identified as\r\ncommon initial access targets for this group. XSIAM customers with the ASM module also have access to\r\nthese detection capabilities.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and disrupt malicious cyber actors systematically. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hashes for examples of Akira ransomware's Windows variant\r\n08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba\r\n2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d\r\n2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643\r\n56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db\r\n58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3\r\n678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33\r\n1ba1ccfacffbb6be9480380f5535a30d3eee1dd7787f3c649ebf8ea2a6a5de51\r\n9f873c29a38dd265decb6517a2a1f3b5d4f90ccd42eb61039086ea0b5e74827e\r\n1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc\r\ncc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8\r\nSHA256 hashes for examples of Megazord\r\n131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07\r\n28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e\r\n2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83\r\n68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a\r\n7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be\r\n8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439\r\n95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a\r\n9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065\r\n9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c\r\na6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb\r\nb55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9\r\nc0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 15 of 22\n\nc9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0\r\ndfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198\r\ne3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481\r\n28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e\r\ndfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198\r\n0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d\r\nSHA256 hashes for examples of Akira ransomware's Linux/ESXi variant\r\n1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296\r\n300bc2769c6d62ba9d228cc45e126cd458e1a23fd23092da258053afd82f2755\r\n3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30\r\n3999a25f8f0fd8252aa9250fa9bd70aae202f181812cc6c230c8ea2842340f18\r\n3dc7d4023c7380ed740ac5ac7d82a4ba6f587f430b2b7b66f1d34a44f89c39cb\r\n43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72\r\n6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84\r\n74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1\r\n7ca3e6b4dd4d98506faa92ab590108cacb2945b8c27dcf1ac75b0df4a206493a\r\n82e25f32e01f1898ccce2b6d5292245759733c22a104443a8a9c7db1ebf05c57\r\n8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c\r\nbcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a\r\n5f72bdb14e138f10c1658248fdaf10db2fd1e812240966e009bbcf8d463e099c\r\n67f82a54ea49c6f286681d179cc7afc8b41b6b34284cc17bdd52916cc3656160\r\n6a5e547756ef1256f1eb9df0249245c35461affd009be8f046559bc007cafcf2\r\ne702a572b514984deacaa54408059c6eac28e46111cb6f0f4190a3a6a72dd41d\r\nSHA256 hashes for examples of Akira_v2\r\n0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c\r\n3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75\r\nAdditional Resources\r\nRansomware Spotlight: Akira – Trend Micro Research\r\n#StopRansomware: Akira Ransomware [PDF] – CISA\r\nAkira Ransomware is “bringin’ 1988 back” – Sophos\r\nAkira, again: The ransomware that keeps on taking – Sophos\r\nRansomware Roundup - Akira – Fortinet\r\nMegazord ransomware analysis – Cynet\r\nAppendices\r\nAppendix A: Akira Ransomware Windows Variant: Targeted File Extensions\r\nHowling Scorpius Windows encryptors will avoid encrypting files with the following extensions:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 16 of 22\n\n.exe\r\n.dll\r\n.lnk\r\n.sys\r\n.msi\r\n.akira\r\nAdditionally, the Windows encryptor will avoid the following directories:\r\ntmp\r\nthumb\r\nwinnt\r\n$Recycle.Bin\r\ntemp\r\nBoot\r\nWindows\r\n$RECYCLE.BIN\r\nSystem Volume Information\r\nTrend Micro\r\nProgramData\r\nAkira ransomware's Windows encryptors target the following extensions:\r\nLetter\r\nRange\r\nExtension\r\nA-L\r\n.4dd, .4dl, .abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf,\r\n.adn, .adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad,\r\n.dadiagrams, .daschema, .db, .db-shm, .db-wal, .db2, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb,\r\n.dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic,\r\n.fm5, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt,\r\n.ib, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx\r\nM-Z\r\n.maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf,\r\n.nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .p96,\r\n.p97, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd,\r\n.sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .te, .temx,\r\n.tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs,\r\n.vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff\r\nAppendix B: Megazord Termination Commands\r\ncmd.exe /c net stop \"IBM Domino Diagnostics (CProgramFilesIBMDomino)\"\r\ncmd.exe /c net stop \"IBM Domino Server (CProgramFilesIBMDominodata)\"\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 17 of 22\n\ncmd.exe /c net stop \"Simply Accounting Database Connection Manager\"\r\ncmd.exe /c net stop IISADMIN\r\ncmd.exe /c net stop MSExchangeADTopology\r\ncmd.exe /c net stop MSExchangeFBA\r\ncmd.exe /c net stop MSExchangeIS\r\ncmd.exe /c net stop MSExchangeSA\r\ncmd.exe /c net stop MSSQL$ISARS\r\ncmd.exe /c net stop MSSQL$MSFW\r\ncmd.exe /c net stop MSSQLServerADHelper100\r\ncmd.exe /c net stop MSSQLServerADHelper100\r\ncmd.exe /c net stop QBCFMonitorService\r\ncmd.exe /c net stop QBPOSDBServiceV12\r\ncmd.exe /c net stop QBVSS\r\ncmd.exe /c net stop QuickBooksDB1\r\ncmd.exe /c net stop QuickBooksDB10\r\ncmd.exe /c net stop QuickBooksDB11\r\ncmd.exe /c net stop QuickBooksDB12\r\ncmd.exe /c net stop QuickBooksDB13\r\ncmd.exe /c net stop QuickBooksDB14\r\ncmd.exe /c net stop QuickBooksDB15\r\ncmd.exe /c net stop QuickBooksDB16\r\ncmd.exe /c net stop QuickBooksDB17\r\ncmd.exe /c net stop QuickBooksDB18\r\ncmd.exe /c net stop QuickBooksDB19\r\ncmd.exe /c net stop QuickBooksDB2\r\ncmd.exe /c net stop QuickBooksDB20\r\ncmd.exe /c net stop QuickBooksDB21\r\ncmd.exe /c net stop QuickBooksDB22\r\ncmd.exe /c net stop QuickBooksDB23\r\ncmd.exe /c net stop QuickBooksDB24\r\ncmd.exe /c net stop QuickBooksDB25\r\ncmd.exe /c net stop QuickBooksDB3\r\ncmd.exe /c net stop QuickBooksDB4\r\ncmd.exe /c net stop QuickBooksDB5\r\ncmd.exe /c net stop QuickBooksDB6\r\ncmd.exe /c net stop QuickBooksDB7\r\ncmd.exe /c net stop QuickBooksDB8\r\ncmd.exe /c net stop QuickBooksDB9\r\ncmd.exe /c net stop ReportServer$ISARS\r\ncmd.exe /c net stop SPAdminV4\r\ncmd.exe /c net stop SPSearch4\r\ncmd.exe /c net stop SPTimerV4\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 18 of 22\n\ncmd.exe /c net stop SPTraceV4\r\ncmd.exe /c net stop SPUserCodeV4\r\ncmd.exe /c net stop SPWriterV4\r\ncmd.exe /c net stop SQLAgent$ISARS\r\ncmd.exe /c net stop SQLAgent$MSFW\r\ncmd.exe /c net stop SQLBrowser\r\ncmd.exe /c net stop SQLWriter\r\ncmd.exe /c net stop ShadowProtectSvc\r\ncmd.exe /c net stop WinDefend\r\ncmd.exe /c net stop firebirdguardiandefaultinstance\r\ncmd.exe /c net stop ibmiasrw\r\ncmd.exe /c net stop mr2kserv\r\ncmd.exe /c powershell -command \"Get-VM | Stop-VM -Force\"\r\ncmd.exe /c taskkill /f /im CNTAoSMgr*\r\ncmd.exe /c taskkill /f /im IBM*\r\ncmd.exe /c taskkill /f /im Notifier*\r\ncmd.exe /c taskkill /f /im Ntrtscan*\r\ncmd.exe /c taskkill /f /im TmListen*\r\ncmd.exe /c taskkill /f /im bes10*\r\ncmd.exe /c taskkill /f /im black*\r\ncmd.exe /c taskkill /f /im chrome*\r\ncmd.exe /c taskkill /f /im copy*\r\ncmd.exe /c taskkill /f /im ds_monitor*\r\ncmd.exe /c taskkill /f /im dsa*\r\ncmd.exe /c taskkill /f /im excel*\r\ncmd.exe /c taskkill /f /im firefox*\r\ncmd.exe /c taskkill /f /im iVPAgent*\r\ncmd.exe /c taskkill /f /im iexplore*\r\ncmd.exe /c taskkill /f /im mysql*\r\ncmd.exe /c taskkill /f /im outlook*\r\ncmd.exe /c taskkill /f /im postg*\r\ncmd.exe /c taskkill /f /im putty*\r\ncmd.exe /c taskkill /f /im robo*\r\ncmd.exe /c taskkill /f /im sage*\r\ncmd.exe /c taskkill /f /im sql*\r\ncmd.exe /c taskkill /f /im ssh*\r\ncmd.exe /c taskkill /f /im store.exe\r\ncmd.exe /c taskkill /f /im tasklist*\r\ncmd.exe /c taskkill /f /im taskmgr*\r\ncmd.exe /c taskkill /f /im vee*\r\ncmd.exe /c taskkill /f /im veeam*\r\ncmd.exe /c taskkill /f /im wrsa*\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 19 of 22\n\ncmd.exe /c taskkill /f /im wrsa.exe\r\nAppendix C: Akira Ransomware Linux\\ESXi Variant: Targeted File Extensions\r\nAkira ransomware's Linux\\ESXi encryptors will avoid encrypting files with the following extensions, the same as\r\nthe Windows encryptors:\r\n.exe\r\n.dll\r\n.lnk\r\n.sys\r\n.msi\r\n.akira\r\nAdditionally, the Linux\\ESXi encryptor will avoid the following directories:\r\ntmp\r\nthumb\r\nwinnt\r\n$Recycle.Bin\r\ntemp\r\nBoot\r\nWindows\r\n$RECYCLE.BIN\r\nSystem Volume Information\r\nTrend Micro\r\nProgramData\r\nAkira ransomware's Linux\\ESXi encryptors target the following extensions:\r\nLetter\r\nRange\r\nExtension\r\nA-L\r\n.4dd, .abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf, .adn,\r\n.adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad,\r\n.dadiagrams, .daschema, .db-shm, .db-wa, .db2, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct,\r\n.dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fm5, .fmp,\r\n.fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx,\r\n.iso, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx\r\nM-Z .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf,\r\n.nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .p96, .p97,\r\n.pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat,\r\n.sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .subvo, .temx, .tmd, .tps, .trc, .trm,\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 20 of 22\n\n.udb, .usr, .v12, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vpd,\r\n.vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff\r\nTable of Contents\r\nExecutive Summary\r\nHowling Scorpius Overview\r\nTargeted Regions\r\nTargeted Industries\r\nTechnical Analysis of the Akira Ransomware Attack Lifecycle\r\nInitial Access\r\nCredentials Access\r\nLocal Credential Access Techniques\r\nKereberoasting\r\nExtracting Credentials for Domain Control\r\nExploiting Compromised vCenter Instances\r\nPersistence\r\nDiscovery and Lateral Movement\r\nDefense Evasion\r\nBring Your Own Driver\r\nAnti Virus Disablement\r\nBring Your Own VM\r\nExfiltration\r\nAkira Ransomware Encryptors\r\nRansom Note\r\nWindows Variant\r\nExecution\r\nCommand-Line Arguments\r\nEncryption\r\nThe Megazord Variant\r\nUpdated Version\r\nThe Possibility of Different Operators Sharing the Megazord Ransomware\r\nLinux/ESXi Variant\r\nExecution\r\nCommand-Line Arguments\r\nEncryption\r\nAkira v2\r\nConclusion\r\nPalo Alto Networks Protection and Mitigations\r\nIndicators of Compromise\r\nAdditional Resources\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 21 of 22\n\nAppendices\r\nAppendix A: Akira Ransomware Windows Variant: Targeted File Extensions\r\nAppendix B: Megazord Termination Commands\r\nAppendix C: Akira Ransomware Linux\\ESXi Variant: Targeted File Extensions\r\nRelated Articles\r\nSuspected China-Based Espionage Operation Against Military Targets in Southeast Asia\r\nFrom Linear to Complex: An Upgrade in RansomHouse Encryption\r\n01flip: Multi-Platform Ransomware Written in Rust\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/\r\nPage 22 of 22\n\nA-L .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic,\n.fm5, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt,\n.ib, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx\n.maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf,\n.nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .p96,\n.p97, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd,\nM-Z     \n.sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .te, .temx,\n.tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs,\n.vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff \nAppendix B: Megazord Termination Commands   \ncmd.exe /c net stop \"IBM Domino Diagnostics (CProgramFilesIBMDomino)\"  \ncmd.exe /c net stop \"IBM Domino Server (CProgramFilesIBMDominodata)\"   \n  Page 17 of 22  \n\nA-L .dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fm5, .fmp,\n.fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx,\n.iso, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx  \nM-Z .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf,\n.nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .p96, .p97,\n.pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, \n.sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .subvo, .temx, .tmd, .tps, .trc, .trm,\n   Page 20 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/"
	],
	"report_names": [
		"threat-assessment-howling-scorpius-akira-ransomware"
	],
	"threat_actors": [
		{
			"id": "921cea27-4410-42e4-8c11-7d40ba313225",
			"created_at": "2023-01-06T13:46:39.375789Z",
			"updated_at": "2026-04-10T02:00:03.307063Z",
			"deleted_at": null,
			"main_name": "RansomHouse",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHouse",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434057,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/751428c5280460734c421378f46b9ad4edb5999d.pdf",
		"text": "https://archive.orkl.eu/751428c5280460734c421378f46b9ad4edb5999d.txt",
		"img": "https://archive.orkl.eu/751428c5280460734c421378f46b9ad4edb5999d.jpg"
	}
}