Threat Actor Spotlight: Akira Ransomware
JANUARY 2025
Originally formed in the spring of 2023, Akira quickly made its mark, launching an estimated 240 cyberattacks throughout that year and extorting over $40 million USD. With two encryption tools, Akira and Megazord, and a penchant for targeting firewalls with unpatched vulnerabilities and accounts lacking MFA protection, Akira has had significant growth in 2024.
Based on our current cases and publicly available data, we believe Akira’s operations will continue to grow into 2025. Notably, last November alone, Akira publicized 35 attacks in a single day—either an alarming indication of their increasing activity and reach, or a switch in publication tactics to gain attention for larger victim counts.
Akira is notorious for employing a double-extortion model, where they first exfiltrate sensitive data before encrypting the victim’s systems. In recent months we have seen a shift towards smaller businesses. These attacks relied on single extortion methods where backups were found, targeted, and deleted. This tactical shift condenses Akira’s timeline of attack and reduces the logistical back-end of managing stolen data.
Key Highlights
Targeted Industries
Akira primarily targets small to mid-sized US-based businesses with the majority coming from these industries:
Business Services
Manufacturing
IT Services
Education
Initial Access
Akira typically uses similar tactics to gain initial access in each of their cases.
The FBI has observed that Akira obtains initial access to organizations via VPN service without MFA configured.
Current PNG Cyber case examples show that Akira still favors initial access via VPNs, exploiting known vulnerabilities such as CVE-2020-3259 and CVE-2023- 20269, as well as the recent vulnerabilities for CVE 2024-40766.
Additionally, we’ve observed Akira gaining access through external-facing services such as Remote Desktop Protocol, spear phishing, and the abuse of valid credentials.
Tactics & Patterns of Behavior
In addition to initial access methods, we have observed repetitive tactics and patterns of behavior.
Akira often extracts credentials stored in the process memory of the local security authority subsystem service (LSASS).
Akira uses credential scraping tools like Mimikatz and LaZagne to escalate their privileges.
Tools like SoftPerfect and Advanced IP Scanner are used for network discovery and reconnaissance.
Akira has at least two distinct types of ransomware; Megazord and Akira_v2.
To evade detection, Akira sometimes leverages PowerTool to exploit Zemana AntiMalware drivers to terminate antivirus-related processes.
Akira commonly leverages FileZilla, WinRAR, WinSCP, RClone to exfiltrate data.
To establish persistence, Akira uses C2 ("command & control") channels using tools like AnyDesk, PuTTy MobaXterm, RustDesk, Ngrok and Cloudflare Tunnel. These allow for remote access and the capability to exfiltrate data using FTP or SFTP protocols, as well as cloud storage services like MegaSync.
To apply pressure, Akira will contact some victims and threaten to publish stolen data on the Tor network.
Encrypted files are appended with “.akira” or “.powerranges” extensions depending on the encryption tool used.
Recommendations
PNG Cyber emphasizes the importance of proactive mitigation steps recommended by CISA, including:
Prioritize remediating known exploited vulnerabilities and regularly patch and update software to their latest versions and conduct regular vulnerability assessments.
Regularly backup critical data and ensure they are encrypted, stored offline, and tested regularly.
Enable & enforce MFA for all services to the extent possible, including webmail, VPN and accounts that access critical systems.
Educate employees on a recurring basis including recent cybersecurity threats and best practices.
Implement an Endpoint Detection and Response (EDR) tool to monitor and protect endpoints.
Develop and maintain a comprehensive incident response plan.
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
PNG Cyber offers 24/7 emergency assistance. If you need incident response support, please contact us at (888) 757-3776 or email us at incidentresponse@png-cyber.com.
