Credential Theft
- DonPAPI
- LaZagne
- Mimikatz
Akira is a ransomware-as-a-service operation and ransomware family that emerged in 2023 and became a prominent financially motivated threat through double-extortion attacks.
Profile source: Mallory opens in a new tabAkira
Akira is a ransomware-as-a-service operation and ransomware family that emerged in 2023 and became a prominent financially motivated threat through double-extortion attacks. The group steals data before encryption and pressures victims with both operational disruption and threatened public release of stolen information. Akira has been associated by multiple vendors with former Conti-linked tradecraft and is also tracked under aliases including Howling Scorpius, Storm-1567, PUNK SPIDER, GOLD SAHARA, and MITRE group identifier G1024.
Akira initially deployed a Windows encryptor written in C++, later introduced a Rust-based variant known as Megazord, and expanded to Linux and ESXi environments. Reporting also describes encryption of virtualized infrastructure including VMware ESXi and, in later activity, Nutanix AHV. The malware supports multithreaded encryption, drive and process enumeration, process termination, shadow copy deletion, ransom note creation, and file encryption using hybrid cryptography. Operators commonly target backup, database, and security-related services before encryption to inhibit recovery and maximize impact.
Observed Akira intrusions span the full ransomware lifecycle. Initial access has been repeatedly linked to compromised VPN credentials, especially where MFA is absent, exploitation of edge-device and VPN vulnerabilities, spearphishing, brute-force activity against remote access services, access purchased from initial access brokers, and at least one documented SEO-poisoning chain that delivered a trojanized enterprise software installer. Post-compromise activity includes creation of privileged accounts, deployment of remote access tools for persistence, credential theft from LSASS, Active Directory, backup systems, browsers, and other stores, broad internal reconnaissance, lateral movement via RDP, SMB, SSH, PsExec, WMI, and related administrative mechanisms, and exfiltration of archived data to external services before encryption.
Akira operators have also demonstrated strong defense-evasion tradecraft. Reported behavior includes disabling endpoint protections, clearing event logs, deleting shadow copies and backup catalogs, using covert tunneling services, and employing bring-your-own-vulnerable-driver techniques to neutralize security controls. Commonly observed tooling in Akira intrusions includes credential-dumping utilities, remote administration software, network scanners, Active Directory discovery tools, archivers, and file-transfer clients.
Victimology is broad, with repeated targeting across manufacturing, industrial services, healthcare, education, finance, IT, retail, and other enterprise sectors, with especially heavy activity reported in North America and Europe. Akira has been repeatedly described as one of the most active ransomware groups of the mid-2020s and a significant threat to organizations with exposed remote access infrastructure, weak identity protections, and recoverable but insufficiently isolated backup environments.
Ransomware.live
Ransomware.live
083740c55d0a459674457b8551ed9c6a1a7df536c3bb676a6f90af5b3bea53024d43e35962c8c7fdca5f64da8f561f5af17b6cdcbac9462f01da65bd4f8636db27182f9017d8e4212fbc32e954e19d37ab359be0ab33876eb32325706e43f0c11d895cf4391b817e54fb9ec9d8e65f7e03b9887dee2c3c825b6a6c0df1d104ad4d79fb750955ec8702cb79cfdb36e66bc387b2eb96bb137cdd54220d920edce978d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb02c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd7788da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d587b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb423805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7ba546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0bc1qr0txunr259we37wer7w6et33qyq0n6hv83pw24bc1q6dqe4esmqejmxhpj95qadv0j4clsqcxxp4cd94bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpxbc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nhbc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvhbc1qghj85gz0dkr9jeucana3z4xu50ujtllj50rvj0bc1qcnw5v94y40ast06eatgalnjpluu2p067qewh46Ransomware.live
Reported operators
Figure 3 below represents the total number of victims claimed by The Gentlemen in 2025 compared to both Qilin and Akira, tracked by Unit 42 as Howling Scorpius.
The crown jewel of their operations is the use of the ransomware that gives them their name: Akira ... It retains various capabilities such as controlling disk drives, managing running processes, multi-threaded operation, and, of course, encrypting files and writing ransom notes on the victim’s devices.
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
In 2024, the top 3 ransomware threats to Canada were: Akira... emerged in April 2023... operates 2 ransomware variants... exfiltrates victim data before encrypting... double extortion.
Exploited software
MITRE ATT&CK
Reporting
Ten of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
Akira4
Figure 3 below represents the total number of victims claimed by The Gentlemen in 2025 compared to both Qilin and Akira, tracked by Unit 42 as Howling Scorpius.
The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.
Группы вроде Qilin, Akira, Play и DragonForce - все среди наиболее активных по данным ransomware.live - осознанно выбирают цели с оборотом, достаточным для выплаты выкупа, но недостаточным для нормальной эшелонированной защиты.
44 heures après l’accès initial , déploiement du ransomware Akira ( locker.exe )
In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...
What followed was a carefully executed multi-day intrusion that ended with Akira ransomware deployed across the victim’s entire network.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.