A new advisory from the Cybersecurity and Infrastructure Security Agency (CISA) highlights Akira ransomware as a rapidly escalating threat, impacting over 250 organizations globally since March 2023. The group, believed to have ties to the defunct Conti ransomware operation, has reportedly extorted approximately $244.17 million in ransom payments by late September 2025. Akira ransomware primarily targets small and medium-sized businesses (SMBs) across critical sectors including manufacturing, education, information technology, healthcare, and financial services.
The advisory details that initial access is frequently gained through unpatched virtual private network (VPN) services lacking multi-factor authentication, and exploitation of known vulnerabilities in Cisco products. CISA security analysts have observed consistent evolution in Akira’s attack methodologies throughout 2024 and 2025, adapting its toolkit and techniques to maximize impact and evade detection. The sustained activity and significant financial gains underscore the growing menace posed by this ransomware group.
Akira Ransomware: Evolving Tactics and Technical Sophistication
Akira ransomware has demonstrated a concerning adaptability since its emergence. Initially identified as a Windows-specific variant written in C++, it encrypted files, appending the .akira extension. However, by April 2023, the threat actors expanded their reach by deploying a Linux variant specifically targeting VMware ESXi virtual machines. This expansion into virtualized environments significantly broadens their attack surface.
Further enhancing their capabilities, the group introduced the Megazord encryptor in August 2023. This tool, developed in Rust, appends a distinct .powerranges extension to encrypted files, signaling a shift in their operational toolkit. More recently, in June 2025, Akira threat actors leveraged a critical vulnerability, CVE-2024-40766, in SonicWall products. This exploit allowed them to successfully encrypt Nutanix AHV virtual machine disk files, showcasing their commitment to exploiting zero-day and known vulnerabilities.
The encryption mechanism employed by Akira ransomware is technically robust. It utilizes a hybrid encryption scheme that combines the efficiency of ChaCha20 stream cipher for rapid encryption with the security of an RSA public-key cryptosystem for secure key exchange. This combination ensures both speed and resilience in their operations.
Double Extortion and Persistence Tactics Employed by Akira
Akira ransomware operates under a dual-extortion strategy, a prevalent tactic among modern ransomware groups. This involves not only encrypting victim data but also threatening to leak sensitive information if the ransom is not paid. This pressure tactic significantly increases the likelihood of victims complying with demands.
Upon gaining initial access, threat actors establish persistence within the compromised network. They achieve this by creating new domain accounts and employing credential-scraping tools such as Mimikatz and LaZagne to harvest user credentials. This allows them to maintain access and elevate their privileges within the victim’s environment.
To blend in with legitimate network traffic and evade detection, Akira threat actors frequently utilize authorized remote access tools like AnyDesk and LogMeIn. These tools, commonly used by IT administrators, help mask their malicious activities. For data exfiltration, the group relies on tools such as FileZilla, WinSCP, and RClone to transfer stolen data to external cloud storage services before initiating the encryption process.
To further hinder recovery efforts, the Akira encryptor employs PowerShell commands to delete Volume Shadow Copy Service (VSS) copies on Windows systems. VSS snapshots are often used by organizations to restore files to a previous state, so their deletion is a critical step in preventing a quick recovery.
The ransom notes disseminated by Akira are typically named either fn.txt or akira_readme.txt. These notes contain instructions for victims on how to contact the threat actors via a `.onion` URL accessible through the Tor network. Payments are demanded in Bitcoin.
The continuous evolution of Akira’s tactics, coupled with its broad targeting and significant financial success, indicates that the ransomware threat will likely persist. Organizations are advised to review their cybersecurity posture, particularly concerning VPN security, multi-factor authentication, and vulnerability management, to mitigate the risks associated with Akira and similar ransomware attacks. Ongoing vigilance and adherence to security best practices remain paramount in defending against sophisticated threats like Akira ransomware.