akira

1,527 tracked victims

·first seen 2023-04-12·last activity 2026-06-23

Group profile

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others. According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast. Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files. Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only). Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified. Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0001

Initial Access

T1078Valid Accounts
Utilizes compromised VPN credentials.
T1078.002Valid Accounts: Domain Accounts
Operators use obtained domain accounts for access.
T1133External Remote Services
Actors exploit CVE-2023-20269 remote service vulnerabilities.
T1190Exploit Public-Facing Application
Targets vulnerable CISCO devices via CVE-2023-20269.

TA0002

Execution

T1047Windows Management Instrumentation
Actors may use WMI to continue the attack.
T1059Command and Scripting Interpreter
Accepts parameters for its routines such as "-n 10" (for encryption percentage) or "-s (filename)" (for shared folder encryption).
T1059.001Command and Scripting Interpreter: PowerShell
Operators use PowerShell to launch commands to continue operations.
T1059.002System Services: Service Execution
Akira ransomware uses service execution for persistence.
T1059.003Command and Scripting Interpreter: Windows Command Shell
Operators use CMD to launch commands to continue operations.

TA0003

Persistence

T1136.001Create Account: Local Account
Upon initial access, Akira operators create a local account on the compromised system.
T1136.002Create Account: Domain Account
Upon initial access, Akira operators create a domain account on the compromised system.

TA0004

Privilege Escalation

T1078.002Valid Accounts: Domain Accounts
Utilizes valid domain accounts for privilege escalation.
TA0004Privilege Escalation
Utilizes local domain accounts for privilege escalation.

TA0005

Defense Evasion

T1112Modify Registry
Uses commands in its operation to modify registries.
T1562.001Impair Defenses: Disable or Modify Tools
Usage of PowerTool or a KillAV tool abusing the Zemana AntiMalware driver to terminate AV-related processes was observed.

TA0006

Credential Access

T1003.001OS Credential Dumping: LSASS Memory
Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory.

TA0007

Discovery

T1018Remote System Discovery
Uses Advanced IP Scanner and MASSCAN to discover remote systems.
T1082System Information Discovery
Uses PCHunter and SharpHound to collect system information.
TA0007Discovery
Uses AdFind, Windows net command, and nltest to collect domain information.

TA0008

Lateral Movement

T1021.001Remote Services: Remote Desktop Protocol
Utilizes remote services for accessing accounts and machines through remote services.
T1570Lateral Tool Transfer
Uses RDP to move laterally within the victim's network.

TA0009

Collection

T1560.001Archive Collected Data: Archive via Utility
Utilizes discovery to gather information for exfiltration.

TA0010

Exfiltration

T1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Utilizes FileZilla or WinSCP to exfiltrate stolen information via FTP.
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Uses RClone to exfiltrate stolen information via a web service.

TA0011

Command and Control

T1229Remote Access Software
Utilizes AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems.

TA0040

Impact

T1486Data Encrypted for Impact
Akira ransomware is used to encrypt files.
T1490Inhibit System Recovery
Deletes shadow copies to inhibit recovery.

Recent victims

showing 50 of 1,529

Date	Website / victim	Sector	Country
2026-06-24	J Jit Ex	Not Found
2026-06-24	M Miami Machine	Manufacturing	US
2026-06-23	L Leo International	Not Found
2026-06-23	I IH Engineers	Manufacturing
2026-06-22	N Ntd Apparel	Consumer Services
2026-06-18	B Berg Lilly	Not Found
2026-06-18	A Apptricity	Business Services	US
2026-06-17	S Smith Filter	Manufacturing
2026-06-16	I Insite Architects	Business Services
2026-06-12	D DDC Domus Design Collection	Consumer Services
2026-06-10	Port Air Expressportairexpress.com	Transportation/Logistics
2026-06-10	T The Midland Theatre	Hospitality and Tourism	GB
2026-06-10	A Associated Investor Services	Financial Services
2026-06-09	S Spray Equipment & Service Center	Business Services
2026-06-09	R Rockaway River Country Club	Hospitality and Tourism	NJ
2026-06-09	S SMPC Architects	Construction
2026-06-09	C Centre Ellipse	Not Found
2026-06-08	H HRC Sicherheitsdienste	Business Services	DE
2026-06-05	Kennon Worldwidekennon.com	Business Services
2026-06-05	Oaks Parkoakspark.com	Consumer Services	US
2026-06-05	T T/CCI Manufacturing	Manufacturing
2026-06-04	N National Standard Parts Associates	Manufacturing
2026-06-04	N Northern Ohio Regional Multiple Listing Service	Business Services	US
2026-06-03	S Sunrise, Toscana Country Club, AndalusiaCountry Club.	Hospitality and Tourism	ES
2026-06-03	C Cherokee Distributing Co	Transportation/Logistics	US
2026-06-03	F Factors Western	Business Services
2026-06-03	H Hal Otey Financial	Financial Services
2026-04-17	Schacht Law Officeschachtlaw.com	Business Services
2026-05-29	I Interstate Roofing	Construction	US
2026-03-13	Healthtrax Fitness &Wellnesshealthtrax.com	Consumer Services	US
2026-05-19	GS Yuasa Lithium Powergsyuasa-lp.com	Manufacturing	JP
2026-05-12	General Doorsgeneral-doors.com	Manufacturing	US
2026-04-24	Alpine Aerotechalpineaerotech.com	Manufacturing
2026-05-20	Maschinen-Stockertmaschinen-stockert.de	Manufacturing	DE
2026-05-27	N Northwest Woodworks	Manufacturing
2026-05-27	G Gone Fishin' Marine	Hospitality and Tourism
2026-05-26	S Sunrise, Toscana Country Club,Andalusia Country Club.	Hospitality and Tourism
2026-05-14	Gitisgitis.it	Not Found	IT
2026-05-07	Karlin Foodskarlinfoods.com	Agriculture and Food Production	US
2026-05-22	Buffalo Niagara Convention Centerbuffaloconvention.com	Hospitality and Tourism	US
2026-05-22	F Function Enterprises	Not Found
2026-05-20	Sid Harvey'ssidharvey.com	Consumer Services	US
2026-05-19	A Acton Electrical	Business Services	GB
2026-05-19	TSG Enterprisestsg-solutions.com	Not Found
2026-03-13	Healthtrax Fitness & Wellnesshealthtrax.com	Consumer Services	US
2026-05-18	Vacu - Lugvaculug.com	Manufacturing	GB
2026-05-06	Fox Valley Tax Solutionsfoxvalleytaxsolutions.com	Business Services	US
2026-04-24	Institute of PrivateEnterprise Developmentipedgy.com	Business Services
2026-05-06	Allele Diagnosticsallelediagnostics.com	Healthcare	FR
2026-04-24	Institute of Private Enterprise Developmentipedgy.com	Business Services	US