A new advisory from the Cybersecurity and Infrastructure Security Agency reveals that Akira ransomware has become one of the most active threats targeting businesses worldwide.
Since March 2023, this ransomware group has impacted more than 250 organizations across North America, Europe, and Australia, amassing approximately $244.17 million in ransom proceeds as of late September 2025.
The threat actors behind Akira have connections to the defunct Conti ransomware group. Akira ransomware primarily targets small and medium-sized businesses across multiple sectors.
The group shows a strong preference for manufacturing, educational institutions, information technology, healthcare, and financial services sectors.
The threat actors gain initial access through virtual private network services without multi-factor authentication configured, exploiting known vulnerabilities in Cisco products.
CISA security analysts identified that Akira threat actors have continuously evolved their attack methods throughout 2024 and 2025.
The ransomware initially appeared as a Windows-specific C++ variant that encrypted files with the .akira extension.
By April 2023, the group deployed a Linux variant targeting VMware ESXi virtual machines. In August 2023, they introduced the Megazord encryptor, a Rust-based tool that appends a .powerranges extension to encrypted files.
In June 2025, Akira threat actors successfully encrypted Nutanix AHV virtual machine disk files by exploiting CVE-2024-40766, a SonicWall vulnerability.
The ransomware employs a sophisticated hybrid encryption scheme that combines a ChaCha20 stream cipher with an RSA public-key cryptosystem for fast, secure key exchange.
Double Extortion and Persistence Tactics
Akira operates using a double-extortion model that combines data encryption with threats to leak sensitive information.
After gaining initial access, the threat actors establish persistence by creating new domain accounts and using credential-scraping tools such as Mimikatz and LaZagne to harvest passwords.
They leverage legitimate remote access tools such as AnyDesk and LogMeIn to maintain access while blending in with regular administrator activity.
For data exfiltration, the group uses tools such as FileZilla, WinSCP, and RClone to transfer stolen data to cloud storage services before encrypting it.
To inhibit system recovery, the Akira encryptor uses PowerShell commands to delete Volume Shadow Copy Service copies on Windows systems.
The ransom note appears as fn.txt or akira_readme.txt and provides victims with instructions to contact the threat actors through a .onion URL accessible via the Tor network, with payments demanded in Bitcoin.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
