Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
7 mentions · 4 sources"several ransomware operations, including the Akira, Fog, and Frag gangs, had weaponized another critical VBR RCE flaw (CVE-2024-40711)"
"ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure"
"Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts, but the method was not confirmed"
"ransomware activity was led by Akira, Qilin, and Safepay"
"Brazil named as top-tier concentration market; Moinho Globo Alimentos breached"
"The Akira RaaS group leveraged a vulnerability that resulted in record-breaking attack volumes between July and August."
Hedge terms observed