{ "id": "169f24e2-4f92-47bf-9cef-18e3fb9e1097", "created_at": "2026-04-06T00:18:49.241771Z", "updated_at": "2026-04-10T03:37:04.552121Z", "deleted_at": null, "sha1_hash": "f43669d8fe0f3ac7d03765aba94169c837961a0a", "title": "Akira Ransomware: The Evolution of a Major Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 455236, "plain_text": "Akira Ransomware: The Evolution of a Major Threat\r\nBy Loginsoft\r\nPublished: 2026-03-05 · Archived: 2026-04-05 19:14:29 UTC\r\nIntroduction\r\nAkira is a rapidly emerging ransomware group, first identified in early 2023, and is operated by the threat actors\r\nknown as GOLD SAHARA, PUNK SPIDER, and Storm-1567. Utilizing a ransomware-as-a-service (RaaS)\r\nmodel, Akira employs a double extortion strategy by exfiltrating data before encrypting victims' devices.\r\nHowever, unlike some other ransomware groups, Akira offers victims a degree of flexibility by allowing them to\r\nchoose whether to pay for decryption assistance, data deletion, or both.  \r\nThis ransomware has demonstrated a global reach, with the attacks impacting North America, Europe, Asia,\r\nAustralia, and Africa. A wide range of industries have been targeted, such as financial services, insurance,\r\nconstruction, education, healthcare, manufacturing, agriculture, legal, government, logistics, retail, information\r\ntechnology, and telecommunications.\r\nRecent threat activity has revealed that Akira ransomware affiliates are exploiting a vulnerability in SonicWall\r\ndevices, CVE-2024-40766, to gain initial access. They specifically target SSLVPN user accounts that are local to\r\nthe devices, not integrated with centralized authentication like Active Directory. These compromised accounts also\r\nlack multi-factor authentication (MFA) and are running vulnerable SonicOS firmware versions, making them\r\nprime targets for exploitation.\r\nKey Takeaways  \r\nAkira ransomware has evolved rapidly to become a major threat to organizations.\r\nAttack techniques are refined over time to improve stealth and effectiveness.\r\nTargeted intrusions increase impact compared to opportunistic ransomware attacks.\r\nUnderstanding attacker evolution improves detection and mitigation strategies.\r\nKey characteristics of Akira ransomware:\r\nIt is designed to encrypt files and appends a unique \".akira\" extension to the encrypted filenames.\r\nIt is a cross-platform threat that targets both Windows and Linux devices.\r\nIt can delete Windows Shadow Volume Copies and shut down Windows services during encryption.\r\nIt is often spread through malicious files, such as phishing attachments or compromised software.\r\nIt can also exploit VPN services to mask its network activity and evade detection.\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 1 of 8\n\nImage representing Akira Tor leak site\r\nTechnical Analysis\r\nInitial access\r\nAkira threat actors often exploit vulnerabilities in Virtual Private Network (VPN) services, particularly those\r\nlacking multifactor authentication (MFA), to gain initial access to target organizations. They have been known to\r\nexploit vulnerabilities in SonicWall SonicOS firmware, VMware ESXi hypervisor, Fortinet FortiOS, and Cisco\r\nsoftware to compromise VPN infrastructure and gain unauthorized access to target networks.  \r\nPersistence and Discovery\r\nOnce initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating\r\nnew domain accounts to establish persistence. In some instances, the Akira threat actors were observed creating an\r\nadministrative account named “itadm”.\r\nTools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance)\r\npurposes and net Windows commands are used to identify domain controllers and gather information on domain\r\ntrust relationships.\r\nDefense Evasion\r\nAs these threat actors prepare for lateral movement, they often disable security software to evade detection.\r\nResearchers have noted that Akira actors use tools like PowerTool to exploit the Zemana AntiMalware driver\r\nand terminate antivirus related processes.  \r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 2 of 8\n\nCredential Access\r\nReports indicate that Akira threat actors leverage post-exploitation attack techniques such as Kerberoasting to\r\nextract credentials from the process memory of the Local Security Authority Subsystem Service (LSASS). Akira\r\nthreat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation.\r\nExfiltration  \r\nAkira threat actors leverage a range of tools, including FileZilla, WinRAR, WinSCP, and RClone, along with\r\ncloud storage services like Mega, to exfiltrate data. For establishing command and control channels, they employ\r\nwidely available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. These tools facilitate\r\ndata exfiltration through protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP).  \r\nEncryption\r\nAkira ransomware employs a sophisticated hybrid encryption scheme to compromise data. Combining ChaCha20\r\nand RSA encryption, Akira tailors its encryption methods based on file type and size, allowing for both full and\r\npartial encryption. Encrypted files are typically identified by the \".akira\" or \".powerranges\" extension.\r\nAkira threat actors enhance their encryption process by inserting additional threads, allowing more precise control\r\nover CPU core usage, which boosts both speed and efficiency. The latest version also incorporates a protective\r\nlayer by using a Build ID as a runtime condition, preventing successful execution without this unique identifier,\r\nwhich complicates dynamic analysis.\r\nThe updated Akira_v2 variant introduces functionalities such as deploying exclusively against virtual machines\r\nusing the \"vmonly\" parameter and stopping running virtual machines with the \"stopvm\" command. After\r\nencryption, the Linux ESXi variant may use the file extension \".akiranew\" and place a ransom note named\r\n\"akiranew.txt\" in directories where files have been encrypted under this new designation.  \r\nDuring the encryption process, the Akira encryptor avoids encrypting files located in the Recycle Bin, System\r\nVolume Information, Boot, ProgramData, and Windows folders. It also excludes Windows system files with\r\nextensions such as .exe, .lnk, .dll, .msi, and .sys from encryption. After encryption, a ransom note named \"fn.txt\"\r\nis placed in both the root directory (C:) and each user's home directory (C:\\Users). This note provides instructions\r\nand demands a ransom payment for decryption.\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 3 of 8\n\nImage representing Akira Ransom note\r\nImpact\r\nIn addition to data encryption, Akira exfiltrates sensitive information prior to encryption, exacerbating the risk of\r\ndata breaches. To prevent system recovery, Akira's encryptor (w.exe) leverages PowerShell commands to delete\r\nvolume shadow copies (VSS) on Windows systems. This strategy significantly impairs the ability to restore data\r\nfrom previous snapshots, complicating recovery efforts and prolonging downtime.  \r\nAkira ransomware employs a double-extortion model, encrypting systems after exfiltrating data. Ransom demands\r\nare provided upon victim contact, and payments are demanded in Bitcoin. Akira threatens data leaks and direct\r\ncalls to increase pressure on victims.\r\nLeveraged tools, exploits and malware\r\nProcedure Tool/Malware/Exploit leveraged\r\nInitial access\r\nVPN via compromised accounts and CVE-2024-40766, CVE-2024-37085, CVE-2024-\r\n3259 and CVE-2023-20269\r\nDefense Evasion PowerTool and KillAV (Terminator from GitHub)\r\nDiscovery AdFind, PCHunter, Advanced IP Scanner, SharpHound and MASSCAN.\r\nCredential Access Mimikatz, LaZagne and LSASS dump\r\nCommand and\r\nControl\r\nAnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk and ngrok\r\nLateral Movement RDP\r\nExfiltration WinSCP, Rclone and FileZilla\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 4 of 8\n\nRecent activities\r\nRecent investigations revealed that Akira ransomware was exploiting CVE-2024-40766, a critical access control\r\nvulnerability in SonicWall devices. The attacks focused on local accounts without multi-factor authentication\r\n(MFA) and exploited vulnerabilities in outdated SonicOS firmware versions.  \r\nHistorically, this ransomware was observed exploiting  \r\nCVE-2024-37085 - An authentication bypass vulnerability in the VMware ESXi\r\nCVE-2022-40684 - An authentication bypass vulnerability in the Fortinet FortiOS\r\nCVE-2020-3259 - An information disclosure vulnerability in the Cisco Adaptive Security Appliance\r\n(ASA) Software and Cisco Firepower Threat Defense (FTD) Software\r\nCVE-2023-20269 - An unauthorized access vulnerability in the VPN feature of Cisco Adaptive Security\r\nAppliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nTable representing technique and tactics employed by Akira ransomware:\r\nID Technique Comments\r\nT1078 Valid Accounts\r\nAkira threat actors gain initial access by acquiring and\r\nabusing credentials from existing accounts.\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nAkira threat actors leverage vulnerabilities in internet-facing\r\nsystems to infiltrate target networks.\r\nT1133 External Remote Services\r\nAkira threat actors have utilized remote access services, such\r\nas RDP and VPN connections, to achieve initial access.\r\nT1566\r\nPhishing: Spear phishing\r\nAttachment\r\nAkira threat actors use phishing emails with Word (.docx),\r\nExcel (.xlsx), or PDF (.pdf) extensions with malicious\r\nattachments.\r\nT1566.002\r\nPhishing: Spear phishing\r\nLink\r\nAkira threat actors utilize phishing emails with malicious\r\nlinks.\r\nT1003 OS Credential Dumping\r\nAkira threat actors leverage tools such as Mimikatz and\r\nLaZagne to extract credentials.\r\nT1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nAkira threat actors attempt to retrieve credential data from the\r\nprocess memory of LSASS.\r\nT1558.003\r\nSteal or Forge Kerberos\r\nTickets\r\nAkira threat actors leverage Kerberoasting techniques to\r\nextract credentials.\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 5 of 8\n\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nAkira threat actors utilize tools to scan systems and detect\r\nservices running on remote hosts and local network\r\ninfrastructure.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nAkira threat actors employ tools such as PCHunter64 to gather\r\ndetailed process and system information.\r\nT1482 Domain Trust Discovery\r\nAkira threat actors utilize the Windows \"net\" command to\r\ngather domain information.\r\nT1057 Process Discovery\r\nAkira threat actors use the Tasklist utility through PowerShell\r\nto retrieve information about running processes.\r\nT1069.001\r\nPermission Groups\r\nDiscovery: Local Groups\r\nAkira threat actors use the net localgroup /dom command to\r\nidentify local system groups and their permission settings.\r\nT1069.002\r\nPermission Groups\r\nDiscovery: Domain Groups\r\nAkira threat actors use the net group /domain command to\r\nseek out domain-level groups and their associated permission\r\nsettings.\r\nT1018 Remote System Discovery\r\nAkira threat actors use the nltest /dclist command to compile a\r\nlist of other systems on a network based on IP address,\r\nhostname, or other logical identifiers.\r\nT1136.002\r\nCreate Account: Domain\r\nAccount\r\nAkira threat actors try to exploit domain controllers by\r\ncreating new domain accounts to maintain persistence.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nAkira threat actors employ BYOVD (Bring Your Own\r\nVulnerable Driver) attacks to disable antivirus software.\r\nT1219 Remote Access Software\r\nAkira threat actors utilize legitimate desktop support software,\r\nsuch as AnyDesk, to gain remote access to victim systems.\r\nT1090 Proxy\r\nAkira threat actors used Ngrok to establish a secure tunnel to\r\nservers, facilitating the exfiltration of data.\r\nT1560.001\r\nArchive Collected Data:\r\nArchive via Utility\r\nAkira threat actors use tools such as WinRAR to compress\r\nfiles.\r\nT1048\r\nExfiltration Over Alternative\r\nProtocol\r\nAkira threat actors utilize file transfer tools like WinSCP to\r\ntransfer data.\r\nT1537\r\nTransfer Data to Cloud\r\nAccount\r\nAkira threat actors use tools such as CloudZilla and Mega to\r\nexfiltrate data to a cloud account and establish connections\r\nwith exfiltration servers they control.\r\nT1567.002 Exfiltration Over Web\r\nService: Exfiltration to Cloud\r\nAkira threat actors utilized RClone to synchronize files with\r\ncloud storage services for data exfiltration.\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 6 of 8\n\nStorage\r\nT1486 Date Encrypted for Impact\r\nAkira threat actors encrypt data on target systems to disrupt\r\naccess to system and network resources.\r\nT1490 Inhibit System Recovery\r\nAkira threat actors remove volume shadow copies from\r\nWindows systems.\r\nT1657 Financial Theft\r\nAkira threat actors employ a double-extortion model to\r\nachieve financial gain.\r\nDefending against Akira Ransomware\r\nTraining programs: Akira employs phishing emails and stolen credentials to spread their malware. By\r\nproviding cybersecurity awareness training, organizations can mitigate their risk by educating employees\r\non security best practices and how to identify common attack methods.  \r\nAnti-Ransomware Solutions: The data encryption and exfiltration activities associated with ransomware\r\nattacks are distinctive and serve as clear indicators of such threats. Anti-ransomware solutions can leverage\r\nthese behavioral patterns, among other factors, to detect, block, and remediate infections caused by Akira\r\nand other ransomware variants.\r\nData Backups: Ransomware like Akira aims to coerce companies into paying a ransom by encrypting\r\ncritical data and holding it hostage. Maintaining regular data backups allows organizations to restore their\r\nencrypted files without needing to comply with ransom demands.\r\nPatch Management: Akira frequently takes advantage of vulnerabilities in VPN software to gain access to\r\ntarget systems. Regularly applying patches and updates helps organizations close these security gaps,\r\npreventing the ransomware group from exploiting them.  \r\nImplementing strong user authentication policies: Akira ransomware often targets VPNs without multi-factor authentication (MFA), making it easier to exploit compromised credentials. Enforcing MFA on\r\ncorporate systems significantly raises the barrier for attackers, reducing the likelihood of a successful\r\nmalware infection.\r\nNetwork Segmentation: Ransomware typically spreads laterally within a corporate network from its\r\ninitial entry point to systems containing valuable data. Implementing network segmentation helps detect\r\nand block this movement, limiting the ransomware's ability to encrypt or steal sensitive information.\r\nConclusion\r\nThe blog highlights that Akira ransomware represents a new generation of ransomware threats that continuously\r\nadapt to defensive controls. Its evolution demonstrates how attackers refine techniques, tools, and execution to\r\nincrease success rates and damage. Staying ahead of threats like Akira requires continuous monitoring, behavior-based detection, and an understanding of how ransomware tactics change over time.\r\nFAQs\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 7 of 8\n\nQ1. What is Akira ransomware?\r\nAkira ransomware is a Ransomware-as-a-Service (RaaS) operation that surfaced in March 2023. It uses double\r\nextortion tactics, stealing sensitive data before encrypting systems and threatening to leak the stolen information if\r\nthe ransom is not paid, maximizing pressure on victims.\r\nQ2. Why is Akira considered a major threat?\r\nBecause it adapts its techniques, evades detection, and targets environments where it can cause maximum\r\ndisruption.\r\nQ3. How has Akira ransomware evolved?\r\nAkira ransomware has quickly evolved from a Windows-only threat in early 2023 into a cross-platform\r\nransomware operation, now targeting Linux systems, VMware ESXi, and Nutanix AHV environments. Operating\r\nas a Ransomware-as-a-Service (RaaS), the group continuously updates its tools and tactics to increase the speed,\r\nreach, and impact of its double-extortion attacks across enterprise infrastructure.\r\nQ4. What makes evolving ransomware difficult to defend against?\r\nConstant changes in tactics make signature-based detection less effective.\r\nQ5. What is the key defensive takeaway from this blog?\r\nUnderstanding ransomware evolution and monitoring attacker behavior are essential to limiting impact.\r\nSource: https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nhttps://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat" ], "report_names": [ "akira-ransomware-the-evolution-of-a-major-threat" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "b9df610a-2b02-460a-90be-62b982c38ce2", "created_at": "2024-06-19T02:03:08.111044Z", "updated_at": "2026-04-10T02:00:03.836764Z", "deleted_at": null, "main_name": "GOLD SAHARA", "aliases": [ "" ], "source_name": "Secureworks:GOLD SAHARA", "tools": [ "ADFind", "Advanced IP Scanner", "Akira", "AnyDesk", "LaZagne", "Level.io", "Logmein", "Mega", "Megazord", "Mimikatz", "PCHunter64", "PuTTy", "Rclone", "SoftPerfect Network Scanner", "WinRAR" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f43669d8fe0f3ac7d03765aba94169c837961a0a.pdf", "text": "https://archive.orkl.eu/f43669d8fe0f3ac7d03765aba94169c837961a0a.txt", "img": "https://archive.orkl.eu/f43669d8fe0f3ac7d03765aba94169c837961a0a.jpg" } }