A newly updated cybersecurity advisory from federal agencies reveals that the Akira ransomware operation has significantly escalated its campaign, compromising organizations worldwide and accumulating massive ransom proceeds through sophisticated attack methods.
According to the joint advisory released on November 13, 2025, by the FBI, CISA, Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners from Europe, Akira ransomware threat actors have impacted businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023.
As of late September 2025, the ransomware operation has claimed approximately $244.17 million in total ransomware proceeds.
The threat actors associated with groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara may have ties to the defunct Conti ransomware group.
They primarily target small- and medium-sized businesses but have also successfully compromised larger organizations across multiple sectors, showing particular preference for manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture organizations.
Evolving Attack Methods
Akira operators have demonstrated remarkable adaptability in their attack techniques. Initially focusing on Windows systems with a C++ coded variant that encrypted files with an .akira extension, the group deployed a Linux variant in April 2023 targeting VMwareESXi virtual machines.
By August 2023, some attacks began deploying a Rust-based Megazord encryptor that appends a .powerranges extension to encrypted files.
In a significant development, Akira threat actors encrypted Nutanix AHV VM disk files for the first time in June 2025, expanding their capabilities beyond VMware ESXi and Hyper-V by exploiting CVE-2024-40766, a SonicWall vulnerability.
The threat actors have also deployed a sophisticated Akira_v2 variant that provides enhanced encryption capabilities and evasion techniques.
The advisory highlights that Akira operators primarily gain initial access through virtual private networks without multifactor authentication configured, exploiting numerous known Cisco product vulnerabilities including CVE-2020-3259, CVE-2023-20269, CVE-2020-3580, CVE-2023-28252, and CVE-2024-37085.
Additional exploitation targets include CVE-2023-27532, CVE-2024-40711, and CVE-2024-40766.
Beyond vulnerability exploitation, the threat actors employ spearphishing campaigns, abuse stolen credentials potentially obtained from initial access brokers, deploy password spraying techniques using tools like SharpDomainSpray, and leverage brute-force attacks against VPN and SSH endpoints.
In some incidents, Akira operators exploited publicly available vulnerabilities in unpatched Veeam backup servers for initial access.
Rapid Attack Execution
Once inside a network, Akira threat actors move with alarming speed. In some documented incidents, the operators exfiltrated data in just over two hours from initial access.
They establish persistence by creating new domain and local accounts, often creating an administrative account named “itadm”.
The threat actors leverage post-exploitation techniques like Kerberoasting to extract credentials and utilize tools including Mimikatz and LaZagne for credential scraping.
For lateral movement and maintaining access, the operators abuse legitimate remote access tools such as AnyDesk, LogMeIn, RDP, SSH, and MobaXterm.
They commonly turn off security software using PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes, and have been observed uninstalling endpoint detection and response systems entirely.
Akira employs a sophisticated double-extortion model, combining data encryption with threats to leak sensitive information.
The ransomware uses a hybrid encryption scheme involving a ChaCha20 stream cipher with an RSA public-key cryptosystem for fast and secure key exchange. To further inhibit system recovery, the encryptor deletes Volume Shadow Copy Service copies on Windows systems.
For data exfiltration, threat actors leverage tools including FileZilla and WinRAR for collection, and WinSCP and RClone for exfiltration to cloud storage services like Mega.
They establish command and control channels using readily available tools and create secure tunnels with Ngrok for data exfiltration.
Victims are provided with a unique code and instructions to contact the threat actors via a .onion URL accessible through the Tor network.
Recommended Protections
The authoring organizations emphasize several critical mitigations for organizations to implement.
Priority actions include remediating known exploited vulnerabilities, enabling and enforcing phishing-resistant multifactor authentication for all services, and maintaining regular offline backups of critical data with regular restoration testing.
Additional recommendations include implementing network segmentation to prevent ransomware spread, deploying networking monitoring tools to identify abnormal activity, implementing time-based access for administrative accounts, and ensuring all backup data is encrypted and immutable.
Organizations should also disable unused ports, require long passwords of at least 15 characters, implement multiple failed login attempt lockouts, and audit user accounts with administrative privileges according to the principle of least privilege.
The advisory notes explicitly that federal authorities do not encourage paying ransom, as payment does not guarantee file recovery and may embolden adversaries to target additional organizations.
Organizations are urged to promptly report ransomware incidents to the FBI’s Internet Crime Complaint Center, local FBI field offices, or CISA’s 24/7 Operations Center.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.