Skip to content
Ransomware group EsxiLinuxWindows

Akira

Akira is a ransomware-as-a-service operation and ransomware family that emerged in 2023 and became a prominent financially motivated threat through double-extortion attacks.

Profile source: Mallory opens in a new tab

Akira

Family profile

Akira is a ransomware-as-a-service operation and ransomware family that emerged in 2023 and became a prominent financially motivated threat through double-extortion attacks. The group steals data before encryption and pressures victims with both operational disruption and threatened public release of stolen information. Akira has been associated by multiple vendors with former Conti-linked tradecraft and is also tracked under aliases including Howling Scorpius, Storm-1567, PUNK SPIDER, GOLD SAHARA, and MITRE group identifier G1024.

Akira initially deployed a Windows encryptor written in C++, later introduced a Rust-based variant known as Megazord, and expanded to Linux and ESXi environments. Reporting also describes encryption of virtualized infrastructure including VMware ESXi and, in later activity, Nutanix AHV. The malware supports multithreaded encryption, drive and process enumeration, process termination, shadow copy deletion, ransom note creation, and file encryption using hybrid cryptography. Operators commonly target backup, database, and security-related services before encryption to inhibit recovery and maximize impact.

Observed Akira intrusions span the full ransomware lifecycle. Initial access has been repeatedly linked to compromised VPN credentials, especially where MFA is absent, exploitation of edge-device and VPN vulnerabilities, spearphishing, brute-force activity against remote access services, access purchased from initial access brokers, and at least one documented SEO-poisoning chain that delivered a trojanized enterprise software installer. Post-compromise activity includes creation of privileged accounts, deployment of remote access tools for persistence, credential theft from LSASS, Active Directory, backup systems, browsers, and other stores, broad internal reconnaissance, lateral movement via RDP, SMB, SSH, PsExec, WMI, and related administrative mechanisms, and exfiltration of archived data to external services before encryption.

Akira operators have also demonstrated strong defense-evasion tradecraft. Reported behavior includes disabling endpoint protections, clearing event logs, deleting shadow copies and backup catalogs, using covert tunneling services, and employing bring-your-own-vulnerable-driver techniques to neutralize security controls. Commonly observed tooling in Akira intrusions includes credential-dumping utilities, remote administration software, network scanners, Active Directory discovery tools, archivers, and file-transfer clients.

Victimology is broad, with repeated targeting across manufacturing, industrial services, healthcare, education, finance, IT, retail, and other enterprise sectors, with especially heavy activity reported in North America and Europe. Akira has been repeatedly described as one of the most active ransomware groups of the mid-2020s and a significant threat to organizations with exposed remote access infrastructure, weak identity protections, and recoverable but insufficiently isolated backup environments.

Capabilities

  • Brute Force
  • Byovd
  • Credential Theft
  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Extortion
  • Initial Access
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation
  • Process Injection
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • DonPAPI
  • LaZagne
  • Mimikatz

Defense Evasion

  • PowerTool
  • ThrottleStop driver
  • Zemana Anti-Rootkit driver
  • churchill_driver.sys / fidget.sys
  • consent.exe (msimg32.dll / wmsgapi.dll)
  • icardagt.exe (version.dll DLL sideload)
  • mfpmp.exe (rtworkq.dll DLL sideload)

Discovery Enum

  • Advanced IP Scanner
  • Advanced Port Scanner
  • Bloodhound
  • Masscan
  • ReconFTW
  • ShareFinder
  • SharpHound
  • SharpShares
  • SoftPerfect NetScan
  • ldapdomaindump

Exfiltration

  • FileZilla
  • MEGA
  • RClone
  • Temp[.]sh
  • WinRAR
  • WinSCP

LOLBAS

  • net
  • netsh
  • nltest
  • vssadmin

Networking

  • Cloudflared
  • Ngrok
  • OpenSSH

Offsec

  • CrackMapExec
  • Impacket
  • NetExec

RMM Tools

  • AnyDesk
  • MeshAgent
  • MobaXterm
  • Radmin
  • RustDesk
  • TeamViewer

Ransomware.live

Published indicators

Full source record ↗

Md5

320 total
  • 083740c55d0a459674457b8551ed9c6a
  • 1a7df536c3bb676a6f90af5b3bea5302
  • 4d43e35962c8c7fdca5f64da8f561f5a
  • f17b6cdcbac9462f01da65bd4f8636db
  • 27182f9017d8e4212fbc32e954e19d37
  • ab359be0ab33876eb32325706e43f0c1
  • 1d895cf4391b817e54fb9ec9d8e65f7e
  • 03b9887dee2c3c825b6a6c0df1d104ad
  • 4d79fb750955ec8702cb79cfdb36e66b
  • c387b2eb96bb137cdd54220d920edce9

Sha256

37 total
  • 78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
  • 2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
  • 88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2
  • 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
  • ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5
  • 87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d
  • 988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
  • 3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
  • abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b
  • a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0

Btc

7 total
  • bc1qr0txunr259we37wer7w6et33qyq0n6hv83pw24
  • bc1q6dqe4esmqejmxhpj95qadv0j4clsqcxxp4cd94
  • bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpx
  • bc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nh
  • bc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvh
  • bc1qghj85gz0dkr9jeucana3z4xu50ujtllj50rvj0
  • bc1qcnw5v94y40ast06eatgalnjpluu2p067qewh46

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

7 named in public reporting
Akira

Figure 3 below represents the total number of victims claimed by The Gentlemen in 2025 compared to both Qilin and Akira, tracked by Unit 42 as Howling Scorpius.

WIZARD SPIDER

The crown jewel of their operations is the use of the ransomware that gives them their name: Akira ... It retains various capabilities such as controlling disk drives, managing running processes, multi-threaded operation, and, of course, encrypting files and writing ransom notes on the victim’s devices.

Scattered Spider

These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)

Storm-1175

In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.

Storm-0506

"...the use of this technique has led to Akira and Black Basta ransomware deployments."

Indrik Spider

"...the use of this technique has led to Akira and Black Basta ransomware deployments."

Conti

In 2024, the top 3 ransomware threats to Canada were: Akira... emerged in April 2023... operates 2 ransomware variants... exfiltrates victim data before encrypting... double extortion.

Exploited software

Vulnerabilities linked to Akira

25 CVEs
CVE-2023-48788 SQL Injection Leading to RCE in Fortinet FortiClient EMS CVE-2020-3259 Cisco ASA/FTD Web Services Interface Memory Disclosure CVE-2023-20269 Unauthorized Access and VPN Credential Brute Force in Cisco ASA/FTD Remote Access VPN CVE-2023-27532 Missing Authentication in Veeam Backup & Replication Cloud Connect Credential Retrieval CVE-2024-40711 Unauthenticated RCE in Veeam Backup & Replication CVE-2024-40766 Improper Access Control in SonicWall SonicOS Management and SSL VPN CVE-2024-37085 VMware ESXi Active Directory Integration Authentication Bypass CVE-2024-12802 MFA Bypass in SonicWall SSL-VPN Active Directory Authentication CVE-2023-20263 Open Redirect in Cisco HyperFlex HX Data Platform Web Management Interface CVE-2023-48365 DoubleQlik / HTTP Tunneling RCE in Qlik Sense Enterprise for Windows CVE-2025-23006 SonicWall SMA 1000 Pre-Authentication Deserialization of Untrusted Data RCE CVE-2024-21762 FortiOS and FortiProxy SSL-VPN Out-of-Bounds Write RCE CVE-2023-27997 XORtigate: FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE CVE-2025-55182 React2Shell CVE-2025-23120 Remote Code Execution in Veeam Backup & Replication CVE-2025-7771 Arbitrary Physical Memory Read/Write in TechPowerUp ThrottleStop.sys CVE-2024-53704 Authentication Bypass in SonicWall SonicOS SSLVPN CVE-2023-28252 Windows CLFS Driver Elevation of Privilege CVE-2020-3580 XSS in Cisco ASA/FTD Web Services Interface (AnyConnect/WebVPN) CVE-2025-59287 Unauthenticated RCE in Windows Server Update Services via insecure deserialization CVE-2021-20028 SQL Injection in SonicWall Secure Remote Access (SRA) CVE-2019-7481 SQL Injection in SonicWall SMA100 CVE-2022-40684 Fortinet FortiOS - CRITICAL - CVSS 9.8 CVE-2019-6693 Fortinet FortiOS - MEDIUM - CVSS 6.5 CVE-2021-21972 VMware vSphere Client - CRITICAL - CVSS 9.8

MITRE ATT&CK

Akira in ATT&CK

88 distinct techniques

Techniques

88 techniques
T1567 Exfiltration Over Web Service T1657 Financial Theft T1486 Data Encrypted for Impact T1041 Exfiltration Over C2 Channel T1074 Data Staged T1020 Automated Exfiltration T1082 System Information Discovery T1484.001 Group Policy Modification T1133 External Remote Services T1190 Exploit Public-Facing Application T1078 Valid Accounts T1490 Inhibit System Recovery T1569.002 Service Execution T1036 Masquerading T1047 Windows Management Instrumentation T1059.001 PowerShell T1136 Create Account T1562.001 Disable or Modify Tools T1083 File and Directory Discovery T1070.004 File Deletion T1057 Process Discovery T1027 Obfuscated Files or Information T1021 Remote Services T1570 Lateral Tool Transfer T1608.006 SEO Poisoning T1583 Acquire Infrastructure T1021.002 SMB/Windows Admin Shares T1584.006 Web Services T1529 System Shutdown/Reboot T1106 Native API T1219 Remote Access Tools T1021.001 Remote Desktop Protocol T1562 Impair Defenses T1003.001 LSASS Memory T1053.005 Scheduled Task T1090 Proxy T1098 Account Manipulation T1018 Remote System Discovery T1572 Protocol Tunneling T1105 Ingress Tool Transfer T1087 Account Discovery T1569 System Services T1560.001 Archive via Utility T1046 Network Service Discovery T1587.001 Malware T1553.002 Code Signing T1059.003 Windows Command Shell T1110 Brute Force T1566 Phishing T1537 Transfer Data to Cloud Account T1048 Exfiltration Over Alternative Protocol T1482 Domain Trust Discovery T1543.003 Windows Service T1560 Archive Collected Data T1016 System Network Configuration Discovery T1552 Unsecured Credentials T1489 Service Stop T1565 Data Manipulation T1068 Exploitation for Privilege Escalation T1485 Data Destruction T1003 OS Credential Dumping T1071 Application Layer Protocol T1213 Data from Information Repositories T1203 Exploitation for Client Execution T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1070.001 Clear Windows Event Logs T1210 Exploitation of Remote Services T1135 Network Share Discovery T1134 Access Token Manipulation T1564.002 Hidden Users T1621 Multi-Factor Authentication Request Generation T1199 Trusted Relationship T1003.003 NTDS T1136.001 Local Account T1021.006 Windows Remote Management T1021.004 SSH T1562.004 Disable or Modify System Firewall T1555.003 Credentials from Web Browsers T1112 Modify Registry T1111 Multi-Factor Authentication Interception T1078.002 Valid Accounts: Domain Accounts T1059 Command and Scripting Interpreter T1059.002 System Services: Service Execution T1136.002 Create Account: Domain Account TA0004 Privilege Escalation TA0007 Discovery T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage T1229 Remote Access Software

Reporting

Research mentioning Akira

Jul 15
Cyberscoop

SonicWall customers under threat as attackers exploit 2 zero-days | CyberScoop

Ten of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Akira4

Jul 10
Palo Alto Networks Unit 42

No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

Figure 3 below represents the total number of victims claimed by The Gentlemen in 2025 compared to both Qilin and Akira, tracked by Unit 42 as Howling Scorpius.

Jul 10
Threataft

Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft

The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.

Jul 2
Codeby

Защита от ransomware для малого бизнеса: IR и detection

Группы вроде Qilin, Akira, Play и DragonForce - все среди наиболее активных по данным ransomware.live - осознанно выбирают цели с оборотом, достаточным для выплаты выкупа, но недостаточным для нормальной эшелонированной защиты.

Jul 1
Cyberveille

BumbleBee et AdaptixC2 utilisés pour déployer le ransomware Akira via SEO poisoning | CyberVeille

44 heures après l’accès initial , déploiement du ransomware Akira ( locker.exe )

Jul 1
Huntress

How the RaaS Business Model Actually Works | Huntress

In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...

Jun 30
Cyber Security News

Bing Search for 'ManageEngine OpManager' Delivers Akira Ransomware - Cyber Security News

What followed was a carefully executed multi-day intrusion that ended with Akira ransomware deployed across the victim’s entire network.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.