{
	"id": "5d0958fc-59f2-4c40-8450-ae0c90a75e2b",
	"created_at": "2026-04-06T00:12:51.386188Z",
	"updated_at": "2026-04-10T13:11:55.992088Z",
	"deleted_at": null,
	"sha1_hash": "d33f408392109c22ca218362a1abecb2ad71c520",
	"title": "Unmasking Akira: the ransomware tactics you can’t afford to ignore - Zensec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 918287,
	"plain_text": "Unmasking Akira: the ransomware tactics you can’t afford to\r\nignore - Zensec\r\nBy Francesca Rondeau\r\nPublished: 2025-09-19 · Archived: 2026-04-05 21:36:20 UTC\r\nIf you are reading this because you have experienced a ransomware incident and need help with\r\nransomware data recovery, contact Zensec immediately.\r\nSummary\r\nThe ransomware group Akira has been ravaging UK businesses since at least 2023. This brief goes over what\r\nZensec (formerly Solace Cyber) have seen in the past two years. Zensec have seen devastating impacts to UK\r\nbusinesses from the same group affecting the industries of retail, finance, manufacturing and medical\r\norganisations. Zensec have encountered over 30 businesses impacted by Akira during digital forensics and\r\nincident response (DFIR) engagements.\r\nBackground\r\nAkira is known to have very comparable links to the old Conti cybercrime organisation, including code\r\nsimilarities with the ransomware payload and templated attacks that follow a playbook of procedures to carry\r\nthem out. Akira focuses on being a double extortion group, with the primary goal of extorting for financial gain.\r\nAkira follows in the same footsteps, using templated, playbook-driven attacks just like Conti.\r\nThey operate a double-extortion model, first stealing data, then encrypting it, demanding payment to prevent\r\npublic leaks and restore systems.\r\nTheir primary method of entry is through SSL VPN exploitation (Cisco ASA, SonicWall, WatchGuard), often\r\ntaking advantage of missing MFA or unpatched vulnerabilities.\r\nKey Observations (2023–2025)\r\nThese key observations are based on over 16 cases performed by the DFIR teams of Zensec.\r\nAttack Stage Key Findings\r\nInitial Access\r\nAbuse of VPNs (Cisco ASA, SonicWall, WatchGuard); exploitation of CVEs like 2023-\r\n20269 and 2024-40766.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 1 of 13\n\nDiscovery\r\nTools like Netscan (31%), Advanced Port Scanner (25%), and PowerShell AD\r\nenumeration.\r\nPrivilege\r\nEscalation\r\nExploitation of Veeam vulnerabilities (CVE-2023-27532, CVE-2024-40711);\r\ncredential dumping with Veeam-Get-Creds.ps1.\r\nLateral\r\nMovement\r\nHeavy use of RDP; SSH for ESXi/NAS systems; sometimes deploying attacker-created\r\nVMs.\r\nCommand \u0026\r\nControl\r\nAnyDesk (43%), OpenSSH (18.75%) most common; occasional use of Ligolo-ng,\r\nCobalt Strike.\r\nExfiltration\r\nWinSCP (31.25%), FileZilla (18.75%), Rclone (18.75%) used to steal data, sometimes\r\nin under 3 hours.\r\nImpact Backup destruction, ESXi/NAS encryption, and data leaks via Tor-based data leak site.\r\nInsights from cases\r\nInitial access\r\nAll initial access methods identified by Zensec during our ransomware recovery operations have resulted in the\r\nthreat actor leveraging enterprise gateways for access to the wider estates in all cases observed.\r\nBetween 2023 to late 2024, the main method of entry seen by Zensec was the abuse of Cisco ASA firewalls to\r\ngain initial access. In the majority of the cases, this was either due to the lack of MFA on accounts and exploitable\r\nfirewalls vulnerable to a remote “brute force” vulnerability (CVE-2023-20269) and CVE-2020-3259, a memory\r\ndisclosure vulnerability which can be used to retrieve credentials without authentication.\r\nFrom late 2024 to the present day, the most common initial access method by Akira is the abuse of SonicWall\r\nSSLVPNs, primarily the same methods are used with this line of firewall product. Password-based attacks against\r\nlocal VPN accounts and accounts linked to Active Directory. The use of CVE-2024-40766 is a high contributing\r\nfactor.\r\nDuring 2025, the first cases were observed originating from the SSLVPNs of Watchguard appliances, indicating\r\nthat Watchguard appliances are now on Akira’s scopes going forward.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 2 of 13\n\nDiscovery\r\nThe most common discovery utilities seen in use by Akira:\r\n1. Netscan seen in over 31% of cases.\r\n2. Advanced Port Scanner 25% of intrusions\r\n3. Advanced IP Scanner 12.5%\r\n4. Powershell discovery methods:\r\nIn the incidents where PowerShell use was observed for discovery, the following commands were run to collect\r\ninformation on all AD users, Computers, Groups, Subnets, Organisational Units, AD trusts and domain\r\ncontrollers.  Due to this, the following TXT files were created by the threat actor in these cases: AdSubnets.csv,\r\nAdGroups.txt, AdOUs.csv, AdComputers.txt, AdUsers.txt and AdTrusts.txt.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 3 of 13\n\nFigure 1\r\nIn less than \u003c6 % of cases, the use of the following utilities was witnessed to be utilised by Akira:\r\n1. Powerview – Invoke ShareFinder module\r\n2. Sharpshares for Share discovery.\r\n3. Grixba to collect information on remote systems, installed security products and software. Browsing\r\nhistory, processes and network information. The creation of the file ExportData.db was seen in cases where\r\nthe utility was run. Initially seen to be used by the PLAY ransomware group as reported by Symantec.\r\n4. AD enumeration tools that can be used to find weaknesses in Active Directory were also seen in the form\r\nof Pingcastle and Sharphound with the creation of multiple JSON files such as DATE_gpos.json,\r\nDATE_users.json and the DATE_BloodHound.zip.\r\n5. Virtual machine enumeration was observed with the use of a utility called RvTools to enumerate VMware\r\nvirtual machines’ configuration, hostname and network configuration.\r\nPrivilege Escalation / Credential Access\r\nOnce inside the environment through the VPN, the threat actor may already have Active Directory (AD)\r\ncredentials, depending on whether access was gained using a local firewall account or an AD account. Where\r\nvalid credentials are insufficient to progress, Akira have been observed to exploit Veeam vulnerabilities such as\r\nCVE-2023-27532 and CVE-2024-40711.\r\nIndicators of this activity often include the use of xp_cmdshell following the creation of local accounts on Veeam\r\nservers, with those accounts then added to the Local Administrators and RDP Users groups. A common next step\r\nis execution of the script “Veeam-Get-Creds.ps1” (or a variant), which extracts all stored credentials from the\r\nVeeam SQL database in plain text.\r\nThis activity may also be performed by the threat actor using VeeamHax.exe. The credentials within Veeam\r\nfrequently include ESXi, Hyper-V, backup repository credentials for NAS devices, as well as domain\r\nadministrator credentials, providing a powerful escalation path. In some cases, this credential dumping from\r\nVeeam occurs later in the incident, after initial data exfiltration, once attackers have established sufficient access.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 4 of 13\n\nWhere Veeam exploitation is not possible, such as when instances are patched or absent, attackers have also\r\nturned to password-based attacks. This often takes the form of password spraying, which can be identified early in\r\nincidents by a spike in failed logins and multiple account lockouts.\r\nAkira ransomware operators are sometimes observed using advanced credential theft techniques, but these\r\nactivities are relatively infrequent compared to their other behaviours.\r\nIn a minority of cases, they have stolen the NTDS.dit file (Active Directory’s database of user accounts and\r\npassword hashes) along with the System hive, which allows them to decrypt and crack those hashes offline. Tools\r\nlike Mimikatz have been seen in more than 12.5% of cases, enabling attackers to dump credentials from memory\r\nor conduct a DCSync attack to replicate password data directly from a domain controller. A technique to\r\nimpersonate a domain controller and replicate password data from Active Directory.\r\nThey have also been observed performing Kerberoasting attacks, often when connected over an SSL VPN, to\r\ntarget service accounts by extracting and attempting to crack their Kerberos tickets. While powerful, these tactics\r\nare not consistently used in every incident; rather, they show up only in select cases. When they do occur, they\r\nprovide attackers with a path to escalate privileges, spread across the network, and facilitate widespread\r\nransomware deployment.\r\nPersistence and C2 (Command and Control)\r\nAkira are well known at Zensec to use methods of command and control, with the most common method being\r\nthe use of the RMM tool AnyDesk, which was seen in more than 43% of Akira incident response cases. The\r\nsecond method is the use of OpenSSH for remote access, which was seen in at least 18.75% of cases.\r\nIn the minority \u003c6 % of cases the following tools were utilised:\r\n1. The use of Chrome Remote Desktop was observed, where the following PowerShell Command was run to\r\nconfigure remote access.\r\nFigure 2\r\n2. Akira has been seen to use reverse shells on ESXi hosts for remote access.\r\nFigure 3\r\n3. In at least two cases, the protocol tunnelling utility called “Ligolo-ng” was utilised by executing a base-64\r\nencoded command. The tool allows the threat actor group to access the network just like if they were\r\nconnected over the VPN, allowing their machines access to the organisation’s network directly, as well as\r\npotential protocol tunnelling of FTP traffic to the threat actor’s tunnelled server.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 5 of 13\n\n4. In a small number of cases, the threat actor was observed to use CobaltStrike beacons to remain in the\r\nenvironment.\r\nWhere C2 methods were absent, the window of the incident is usually short; thus, in these cases, it is probable that\r\nthe threat actor didn’t deem it necessary to deploy methods of remote access into the environment and remained\r\nconnected via the SSL VPN. Alternatively, the forensics was damaged by encryption upon all retrieval.\r\nLateral Movement / Execution\r\nThe most common method abused for lateral movement was Remote Desktop Protocol (RDP), where Zensec\r\nobserved its use in all cases from the SSL VPN range to Windows hosts. As the saying goes, it is the ransomware\r\ndeployment protocol after all.\r\nIn the majority of cases where ESXi hosts are present or NAS devices, the threat actor is seen to use SSH for\r\nlateral movement.\r\nPass the hash techniques were observed in the majority of cases prior to the encryption stage, usually from the\r\nSSL VPN range, from systems unknown to the victim. Common examples include the hostname “kali”. A default\r\nhostname for the popular offensive security Linux distribution. https://www.kali.org/ In the minority of cases, the\r\nthreat actor was observed to deploy their own virtual machine within the victim organisation in order to bypass\r\nsecurity measures such as EDR. Where the machine was created to perform the encryption over SMB.\r\nIn the minority \u003c6 % of cases the following tools were observed:\r\n1. NetExec (nxc.exe) – A post-exploitation and Active Directory enumeration tool, often used by attackers to\r\nautomate credential spraying, discover network resources, and execute commands remotely across many\r\nmachines.\r\n2. PsExec – A legitimate Microsoft Sysinternals utility that allows administrators to run processes on remote\r\nsystems by creating a temporary service (PSEXESVC).\r\n3. Impacket AtExec.py – A Python script from the Impacket toolkit that enables remote command execution\r\nby creating scheduled tasks on target machines.\r\n4. MobaXterm – Was used to interact via SSH to ESXi hosts. In most cases, the SSH connection is from the\r\nSSLVPN range.\r\nDefence Evasion\r\nWhere the threat actor is targeting the Windows operating system for later encryption, the majority have manual\r\nremoval and disablement of security tooling where the threat actor has obtained sufficient administrator privileges\r\nand where no password protection measures preventing the removal of Antivirus products or EDR products were\r\nseen. The simple use of the control panel and pressing uninstall is enough in sadly a large portion. Additionally, in\r\n48.57% of cases, Windows Defender was inhibited manually or via automated methods. In multiple cases, the\r\nPowerShell commands to disable defender protection measures were observed:\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 6 of 13\n\nFigure 4\r\nIn less than 6% of cases:\r\n1. Manual defender exclusions were found where the threat actor excluded the ransomware payload from\r\ndetection by adding the exclusions of the ransomware payload and the whole C:\\ drive.\r\n2. Where EDR / AV protection measures hindered the threat actor, the creation of virtual machines to encrypt\r\nvia SMB was seen in a small number of cases that were Hyper-V environments. In these cases, the\r\nransomware payload was executed within the newly created Virtual Machine to impact systems with EDR /\r\nAV.\r\n3. In cases where NAS devices were used as file systems rather than being primarily used for backups, the\r\nthreat actor disabled malware protection features via the web portal on the NAS devices.\r\nIn the remaining cases where no hindrance to the threat actor was observed, defence evasion techniques were not\r\nobserved and were likely considered unnecessary, as the ransomware was executed directly and exclusively on the\r\nhypervisors’ datastores containing the virtual machine disks. This limited the need for traditional evasion, with\r\nencryption occurring directly on the ESXi hosts or Hyper-V hosts.\r\nCollection\r\nBefore exfiltration, the threat actors were observed to use compression utilities prior to exfiltration activities using\r\nthe following utilities:\r\nWinRAR – \u003e62.5%\r\n7-Zip – \u003e18.75%\r\nUsually, these compression utilities would be run on file servers to selectively archive document types and ages.\r\nAkira’s use of these tools usually creates identifiable artefacts which indicate which data has been compressed.\r\nFor example, finance.part1.rar, finance.part2.rar, sales.part.1.rar and sales.part2.rar usually would indicate top-level folders on the file server. Recovered RAR files in cases have previously provided insight into their contents,\r\nas a single RAR part file can facilitate the identification of which folders were included in the collection within a\r\nmulti-RAR set.\r\nExfiltration\r\nUsually, the length of time that Akira is within the environment is dependent on how fast businesses’ upload speed\r\nis. The shortest case Zensec has observed was less than three hours, and the predominant factor for speed appeared\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 7 of 13\n\nto be the gigabit upload speed of the victim.\r\nIn more than 81.25% of cases, Akira were identified to exfiltrate data using the following utilities:\r\nWinSCP – \u003e 31.25% of incidents\r\nFileZilla – \u003e 18.75% of incidents\r\nRclone – \u003e 18.75% of incidents\r\nBitvise SSH Client – \u003e 6%\r\nWeb Browser (Easyupload[.]io) – \u003e 6%\r\nEncryption / Impact\r\nIn all Akira cases, by incident responders at Zensec, encryption was observed in 100% of all incidents.\r\nDuring incidents, it has been observed that Akira targets backup devices and systems relating to backups,\r\nincluding QNAP devices or other generic NAS devices that were linked to backup servers. It is common to see the\r\ngroup perform a format/wipe the disks and perform a factory reset of these devices. Usually, the source of the\r\ncredentials is either due to the Veeam password credential dumping or due to the devices being AD joined, where\r\nthe account is compromised and leveraged to perform the format. In cases where NAS devices are used as a file\r\nstore, the network share can be encrypted or directly encrypted with the Akira payload via SSH.\r\nDue to Akira predominantly targeting hypervisors, it isn’t always necessary for the group to disable security\r\nproducts on hosts. Once on ESXi hosts with SSH enabled, there aren’t many measures that will stop Akira from\r\nrunning the Linux variant.\r\nThe method of encryption can vary, where scenarios can include:\r\nVirtual Disk–Level Encryption (Endpoints Unaffected)\r\nCore virtual machines are encrypted at the virtual disk level (VMDKs and VHDXs)\r\nEndpoints (laptops/desktops) are typically left unencrypted\r\nFull Environment Encryption\r\nBoth servers/endpoints at the OS layer (Applications and data) and virtual disks within Hyper-V or\r\nESXi are encrypted (VMDKs and VHDXs).\r\nIn-Guest Encryption Only / Physical Devices\r\nVirtual disks remain untouched\r\nInstead, the ransomware operates within the VMs, physical servers, and endpoints, encrypting their\r\ncontents (Applications and data)\r\nThe following names for the ransomware payload have been identified, usually with short names that are generic\r\nacross multiple incidents. w.exe, akira.exe, lck.exe, lock.exe, locker.exe, pr.exe, n.exe, s.exe, aki.exe, win.exe, esx,\r\nwinlocker.exe and hello.exe.\r\nThe ransomware payload has been seen to run directly on the hosts of one or more categories within incidents:\r\nHyper-V Disks and Hyper-V OS – \u003e43.75%\r\nPhysical Servers, Laptops and Desktops running Windows OS – \u003e43.75%\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 8 of 13\n\nVMware ESXi Datastores – \u003e 31.25%\r\nNAS – \u003e 6.25%\r\nESXI\r\nCommon execution commands for the ransomware payload on ESXi include the threat actor using “chmod +x” to\r\nmake the file executable before running the encryptor. Then running the encryptor with multiple command line\r\nswitches.\r\nFigure 5\r\nThe redacted entry is the payload name.\r\nSwitch Usage\r\n-n Percentage of encryption\r\n-p Path to encrypt. (VMFS volumes.)\r\n-fork Creates a separate child process for encryption\r\nThroughout cases, the percentage of encryption instructed can vary.\r\nWindows\r\nThe method of execution can vary, where the threat actor predominantly runs the encryptor using PowerShell or\r\nCommand Prompt as an administrator account. The execution of the Akira payload on Windows devices provides\r\na forensic artefact where the encryptor leaves multiple log files usually within the same directory from which the\r\nencryptor was run, in the naming convention of:\r\n“Log-DD-MM-YYYY-HH-MM-SS.txt”.\r\nThe Akira ransomware payload for Windows uses many of the same switches, where “-p” denotes the path for the\r\nencryptor to target. Here you can see the ransomware payload running from “C:\\PerfLogs” targeting virtual\r\nmachine disks of a Hyper-V host and the whole D and E drives. In this scenario, the threat actor left the command\r\nprompt window open, leaving the evidence on the active RDP session window.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 9 of 13\n\nFigure 6\r\nIn the same intrusion on another Command Prompt window, the threat actor instructed the ransomware payload to\r\nencrypt endpoint devices, laptops, and desktops remotely with the command line switch “-remote” followed by\r\nthe network path of the system to target.\r\nFigure 7\r\nIn more than 6.25 % of cases, Akira have been observed to run the ransomware payload via GPOs (Group Policy\r\nObjects) to attempt to achieve a wider impact if and when new systems come online, for example, Monday\r\nmorning when employees first get to the office.\r\nUpon encryption, the ransomware payload appends files with “.akira” and within each folder where the encryptor\r\nhas run, it dumps a TXT file called “akira_readme.txt”. This applies in both ESXi and Windows environments.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 10 of 13\n\nFigure 8\r\nPost Encryption\r\nAfter the encryption has set its course, occasionally the victim organisation is contacted. In most cases, this is a\r\nmass email to all employees or to the senior leadership teams. Interestingly, every observed case by Zensec where\r\nAkira sent emails used Gmail accounts (e.g., REDACTED@gmail.com).\r\nZensec has observed this email-contact scenario in about 18.75% of intrusions. These emails usually repeat the\r\nsame information found in the ransom note left on infected systems.\r\nOccasionally, the attackers will follow up with a link to a “proof of life” package, a set of stolen sample data\r\nintended to prove they really have the victim’s files.\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 11 of 13\n\nFigure 9\r\nHow do Akira publish the data?\r\nAkira publish victims to an onion (tor) based website referred to as a data leak site (DLS) usually included in the\r\nransomware note.\r\nFigure 10\r\nAkira, in most cases, where the exfiltrated data is acquired, will list the organisation first within the news section\r\nof the DLS. After a varied amount of time, after the company is listed within the news section, usually 2 weeks to\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 12 of 13\n\nup to 8 weeks, but can be longer, the victim will then be listed within the leak section of the site. Some do not\r\nappear at all as a company name and are bundled with multiple organisations in a single leak post.\r\nInstead of hosting the files directly, Akira shares magnet or torrent links.\r\nThis makes it very difficult to take down the leaked data, since torrents are hosted by many “seeders” on public\r\ntrackers, making them widely and persistently available.\r\nFigure 11\r\nMitre Attack Flow Map\r\nDownload the full Akira attack flow map (PDF) to visualise how this group typically moves through\r\nenvironments.\r\nSource: https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nhttps://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/"
	],
	"report_names": [
		"unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434371,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d33f408392109c22ca218362a1abecb2ad71c520.pdf",
		"text": "https://archive.orkl.eu/d33f408392109c22ca218362a1abecb2ad71c520.txt",
		"img": "https://archive.orkl.eu/d33f408392109c22ca218362a1abecb2ad71c520.jpg"
	}
}