The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according to cybersecurity firm Halcyon.
Akira has been active since 2023, racking up at least $245 million in ransom payments from victims through September 2025. The cybercriminal outfit likely includes former members and affiliates of the now-defunct Conti ransomware group, and is known for its polished approach to digital extortion.
A primary example can be found in the efficiency of Akira’s infection cycle, which has reduced incident response times to hours. According to Halcyon, Akira is known for using zero-day vulnerabilities, buying exploits from initial access brokers and exploiting VPNs lacking multifactor authentication to infect their victims. Akira also uses a process known as “intermittent encryption,” whereby large files can be encrypted faster in smaller blocks.
“Akira is more stealthy and less aggressive allowing the ransomware to move swiftly through the entire ransomware attack kill chain from initial access to exfiltration, and encryption in as little as 1 hour without detection,” Halcyon wrote in a blog published Thursday. “In most cases, the time from initial access to encryption was less than four hours.”
Additionally, while most ransomware operators tend to spend “about 90-95%” of their time developing their encryption malware and 5-10% on crafting decryptors, Halcyon said Akira has made “extensive efforts to ensure the recovery of large files, like server images,” going so far as to temporarily auto-save files with custom .akira extensions to ensure they can be recovered if the encryption process is interrupted.
Halcyon’s blog notes that these efforts are likely less due to ethical principles than because the group believes offering functional decryptors increases the chance that a business will pay the ransom. Akira’s combination of rapid infection while offering firms a more reliable way to recover their data is something that “sets it apart from many ransomware operators.”
“The group’s ability to move from initial access to full encryption in under an hour, while maintaining recovery guarantees that incentivize victim payment, reflects a mature, business-driven criminal enterprise,” Halcyon said.
The group has been observed exploiting vulnerabilities in Veeam backup and replication servers, Cisco VPNs and SonicWall appliances. Like other ransomware groups, Akira uses a double-extortion model against victims, stealing their data before encrypting it, then threatening to publish the stolen data online if businesses don’t pay.
Last year, the FBI and the Cybersecurity and Infrastructure Security Agency flagged Akira as one of the top ransomware criminal groups in the world, primarily targeting small- and medium-sized businesses in the manufacturing, education, IT, health care, financial and agricultural sectors.
