Akira
Akira is a ransomware-as-a-service (RaaS) operation active since March 2023. Reporting in the provided content describes Akira as a significant ransomware threat, particularly to small and medium-sized businesses, with victims observed in Europe, North America, and Australia across sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, telecommunications, and business services. Akira has also been associated with attacks on VMware ESXi environments through a Linux encryptor released in June 2023.
Akira commonly gains initial access through exposed remote access infrastructure and valid credentials. High-confidence access vectors in the content include unauthorized VPN logins, especially to Cisco ASA SSL VPN and Cisco AnyConnect instances without MFA; brute-force or credential attacks against SSLVPN accounts; compromised RDP accounts; exploitation of Veeam CVE-2024-40711 in incidents tracked by Sophos STAC 5881; likely exploitation of Veeam CVE-2023-27532 for credential access; exploitation of Cisco ASA CVE-2023-20269 in at least one case; exploitation of SonicWall CVE-2024-40766; and abuse of compromised MSP RMM platforms such as Atera to reach downstream customer endpoints. Huntress also linked Akira intrusions to RDP without MFA and to environments with overlapping remote access tooling.
Post-compromise behavior described in the content includes credential theft and privilege escalation via LSASS dumping, including rundll32.exe with comsvcs.dll MiniDump; theft of NTDS.dit and SYSTEM hives; use of ntdsutil; harvesting of Veeam credentials with Veeam Credential Dumper and Veeam-Get-Creds; theft of browser and KeePass-stored credentials; Kerberoasting indicated by clustered Event ID 4769 RC4 service-ticket requests; and creation of new local or domain accounts, including accounts such as "point," "point2," "bck," and "adm1" in specific incidents. Akira operators were observed adding accounts to administrator groups, hiding accounts via the Winlogon SpecialAccounts Userlist registry key, and in one case creating an "ESX Admins" domain group.
Akira operators conduct discovery and lateral movement using built-in and dual-use tools. Reported tooling and techniques include RDP, SMB, administrative shares, PsExec-style service creation, Impacket wmiexec, WMI, VmConnect.exe, nltest, net, whoami, AdFind or renamed AdFind-like binaries, Get-ADComputer, Advanced IP Scanner, Netscan, and PowerShell including -EncodedCommand. Huntress and Sophos both reported repeated use of remote access tools such as AnyDesk, DWAgent, Chrome Remote Desktop Host, RustDesk, Radmin, Cloudflare tunnels, Ngrok, and Ligolo-ng. In some incidents, Akira activity included network share encryption using commands such as win_locker.exe -remote -n=3 -p=\<host>\C$.
Defense evasion and impact behavior are prominent. The content states that Akira actors frequently attempted to uninstall Sophos protections, disable Windows Defender real-time monitoring, stop endpoint protection services, clear logs, and delete Volume Shadow Copies. Reported commands and behaviors include PowerShell-based shadow copy deletion, vssadmin delete shadows /all /quiet, sc.exe and net stop against protection services, and use of EDR-killer tooling in DLL side-loading scenarios. Sophos also reported an EDR killer associated with Akira that side-loaded malicious DLLs via consent.exe and used vulnerable drivers such as ThrottleStop.sys or rwdrv.sys together with a malicious hlpdrv.sys kernel driver to terminate security products.
Akira supports both encryption and extortion-only operations. Sophos observed a shift beginning in October 2023 toward cases involving data exfiltration without ransomware deployment, while other incidents involved both theft and encryption. Exfiltration tooling explicitly mentioned includes WinRAR, WinSCP, rclone, MEGA, and Chrome-based transfers. Reported exfiltration destinations and indicators include 13.107.42[.]12, 185.82.216[.]56 over port 22, 104.200.72[.]33 over port 22, and MEGA-related IPs 99.35[.]22, 206.25[.]71, 203.127[.]13, and 99.35[.]202. A bespoke backdoor named crome.exe communicating with 170.130.165[.]171 was also observed in one Akira intrusion.
When encryption is deployed, Akira commonly appends the .akira extension and drops ransom notes such as akira_readme.txt; earlier reporting in the content also describes nearly identical ransom notes named fn.txt in April 2023 incidents. Huntress and EventSight examples additionally reference Akira-related files such as C:\ProgramData\akira.ex_, akira_readme.txt, and .arika encrypted files in one detection example. Sophos reported ransomware binaries named w.exe, Lck.exe, 1.exe, locker.exe, dllhost32.exe, hpupdate.exe, and win_locker.exe in different incidents. Akira has been observed deleting shadow copies before encryption and encrypting files locally and over SMB shares. In Linux/ESXi cases, Akira encrypted .vmdk files after shutting down virtual machines.
The Linux variant is specifically described as targeting VMware ESXi products and using chunk-based partial encryption logic similar to the Windows variant for large files. Reverse engineering cited in the content states that the Linux variant uses file extensions to decide between partial and full encryption, with virtual machine-related file types such as vhdx, vmdk, and vdi observed as partially encrypted, while database file types were fully encrypted in testing. One recovery case involved a file named SERVER_2-flat.vmdk.akira on an ESXi VMFS datastore.
The content associates Akira with multiple broader threat ecosystems and actor relationships. It is explicitly listed as a RaaS program and is referred to alongside the alias Howling Scorpius in one source. Unit 42 states that Muddled Libra / Scattered Spider / UNC3944 has partnered with multiple ransomware programs including Akira, ALPHV, DragonForce, Play, Qilin, and RansomHub. Other reporting notes infrastructure overlap or campaign adjacency with LockBit 3.0 affiliate activity, and one source describes Akira as a Conti spinoff or descendant. The content also notes continued Akira activity through 2025, including Akira remaining a top RaaS brand in Q2 2025.
High-confidence indicators and artifacts directly mentioned in the content include the .akira extension; ransom notes akira_readme.txt and fn.txt; binaries w.exe, Lck.exe, 1.exe, locker.exe, dllhost32.exe, hpupdate.exe, win_locker.exe, and C:\ProgramData\akira.ex_; the bespoke backdoor crome.exe communicating with 170.130.165[.]171; exfiltration-related IPs 13.107.42[.]12, 185.82.216[.]56, 104.200.72[.]33, 99.35[.]22, 206.25[.]71, 203.127[.]13, and 99.35[.]202; and ESXi/VMDK artifact SERVER_2-flat.vmdk.akira.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In August 2024 SonicWall published advisory SNWLID-2024-0015 for CVE-2024-40766. It is an improper access control vulnerability in SonicOS. CVSS 9.3. It affects the management interface and the SSLVPN service on Gen 5, Gen 6 and Gen 7 firewalls.
In at least one case, forensic evidence indicates the threat actors likely exploited CVE-2023-27532 in the organization’s Veeam Backup & Replication component to access all the encrypted credentials stored in the configuration database. | Since the ransomware group’s initial attacks in March, Akira has emerged as a formidable ransomware threat in the cybersecurity landscape for small to medium-sized businesses... Throughout all the Akira incidents Sophos has responded to, Sophos has observed only a single case leveraging the Megazord ransomware variant, in late August 2023.
In one case, the threat actors likely exploited CVE-2023-20269 in an organization’s Cisco ASA to establish an unauthorized remote access VPN session into the victim’s infrastructure. | Since the ransomware group’s initial attacks in March, Akira has emerged as a formidable ransomware threat in the cybersecurity landscape for small to medium-sized businesses... Throughout all the Akira incidents Sophos has responded to, Sophos has observed only a single case leveraging the Megazord ransomware variant, in late August 2023.
The vulnerability, CVE-2024-40711, was used as part of a threat activity cluster we named STAC 5881. Attacks leveraged compromised VPN appliances for access and used the VEEAM vulnerability to create a new local administrator account named “point”. Some cases in this cluster led to the deployment of Akira or Fog ransomware. | Some cases in this cluster led to the deployment of Akira or Fog ransomware. Akira was first seen in 2023; its leak site was offline briefly in October, but is back online and we continue to see Akira attacks.
Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). | A joint cybersecurity advisory has been issued ... about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.
ReliaQuest identified what we assess with medium confidence to be the first known exploitation of this vulnerability, spanning multiple environments between February and March 2026... CVE-2024-12802 is an authentication bypass vulnerability in SonicWall appliances that reduces VPN security to single-factor authentication... On Gen6 devices, the firmware patch alone doesn’t remediate the vulnerability. Six additional manual reconfiguration steps are required.
In Q4 2023, Kroll identified an uptick in engagements involving Akira ransomware, a trend that has continued into 2024... Shortly after privilege escalation, Akira ransomware was deployed to encrypt systems.
A particularly effective technique CVE-2024–37085 allows any member of a specially named AD group to receive full administrative rights on the hypervisor without additional authentication. Ransomware operators simply create the “ESX Admins” group via net group commands and add their controlled account, granting instant ESXi admin access. | Groups leveraging REDBIKE (Akira) and AGENDA (Qilin) ransomware were among the most prolific in exploiting the “Tier-0” privileges of hypervisors to bypass guest-level defenses entirely.
CVE-2023-48365: Qlik Sense Enterprise HTTP Tunneling RCE (CVSS 9.9)
CVE-2025-23006: SonicWall SMA 1000 Pre-Auth Deserialization RCE (CVSS 9.8)
CVE-2024-21762: Fortinet FortiOS SSL VPN Out-of-Bounds Write RCE (CVSS 9.8)
CVE-2023-27997: Fortinet FortiOS SSL VPN Heap Buffer Overflow RCE - XORtigate (CVSS 9.8)
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.
Rapid7 just days ago uncovered a campaign tied to Akira ransomware exploiting CVE-2024-40766, an authentication vulnerability impacting SonicWall SonicOS management access and VPN instances.
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
"...the use of this technique has led to Akira and Black Basta ransomware deployments."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
Incident # 1 A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass. [T1078 – Valid Accounts] [T1133 – External Remote Service] ... Incident # 2 VPN access using Single Factor authentication. [T1078 – Valid Accounts] [T1133 – External Remote Service]
Execution
4 techniques
Execution
Incident # 1 Conducting discovery indirectly via schedule tasks named “Windows Update” performing remote directory listings. [T1083 – File and Directory Discovery] [T1053.005 – Scheduled Task/Job: Scheduled Task]
the following PowerShell code was visible in Windows Event Logs, indicating the successful launch of the Akira ransomware executable: powershell.exe -Command Get-WmiObject Win32_Shadowcopy , Remove-WmiObject
"Akira examines files prior to encryption ... These checks are performed through native Windows functions such as GetFileAttributesW." Also, "Cyclops Blink can use the Linux API statvfs to enumerate the current working directory."
Incident # 1 Minidump of LSASS process memory leveraging comsvcs.dll with proxy execution by rundll32.exe. [T1003.001 – OS Credential Dumping: LSASS Memory] [T1569 – System Services] Service Name: TcwvBcuf ... Incident # 2 ... [T1003.001 – OS Credential Dumping: LSASS Memory] [T1569 – System Services]
Persistence
5 techniques
Persistence
Incident # 1 Conducting discovery indirectly via schedule tasks named “Windows Update” performing remote directory listings. [T1083 – File and Directory Discovery] [T1053.005 – Scheduled Task/Job: Scheduled Task]
Incident # 1 A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass. [T1078 – Valid Accounts] [T1133 – External Remote Service] ... Incident # 2 VPN access using Single Factor authentication. [T1078 – Valid Accounts] [T1133 – External Remote Service]
This was followed by a user account password being changed... Cloudflare was installed and then a user account password was changed... The password used when modifying user accounts
Privilege Escalation
3 techniques
Privilege Escalation
Incident # 1 Conducting discovery indirectly via schedule tasks named “Windows Update” performing remote directory listings. [T1083 – File and Directory Discovery] [T1053.005 – Scheduled Task/Job: Scheduled Task]
Incident # 1 A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass. [T1078 – Valid Accounts] [T1133 – External Remote Service] ... Incident # 2 VPN access using Single Factor authentication. [T1078 – Valid Accounts] [T1133 – External Remote Service]
Stealth
2 techniques
Stealth
Incident # 1 A user account purposedly configured to allow for Multi-Factor Authentication (MFA) bypass. [T1078 – Valid Accounts] [T1133 – External Remote Service] ... Incident # 2 VPN access using Single Factor authentication. [T1078 – Valid Accounts] [T1133 – External Remote Service]
Credential Access
1 technique
Credential Access
Incident # 1 Minidump of LSASS process memory leveraging comsvcs.dll with proxy execution by rundll32.exe. [T1003.001 – OS Credential Dumping: LSASS Memory] [T1569 – System Services] ... Incident # 2 ... multiple systems had the file C:\Windows\MEMORY.DMP created prior to ransomware execution ... [T1003.001 – OS Credential Dumping: LSASS Memory]
Discovery
4 techniques
Discovery
Incident # 2 Utilization of a dual-use tool, Advanced IP Scanner, to discover other systems and networks. [T1018 – Remote System Discovery] ... Employing an existing IT tool, LANSweeper, to access detailed network and system information. [T1018 - Remote System Discovery] [T1087 - Account Discovery: Domain Account]
a threat actor had accessed the endpoint via RDP that was not protected via MFA, and ran netscan to enumerate endpoints on the network.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
4 techniques
Lateral Movement
HIGH Lateral Movement via Network Logon - Ransomware Propagation ... T1021 | Lateral Movement ... Network logon (Type 3) from remote IP 172.22.86.78 followed by extensive file system access patterns typical of ransomware deployment.
During the final week of March 2025, Huntress Security Operations Center (SOC) analysts reported an endpoint on which Akira ransomware had been deployed. An investigation into the incident indicated that three days prior to the incident, a threat actor had accessed the endpoint via RDP that was not protected via MFA... The threat actor moved laterally between the endpoints via RDP.
Command and Control
4 techniques
Command and Control
the threat actors also targeted the MSP’s Atera RMM instance and deployed Cloudflare tunnels... Closer inspection of the Windows Event Logs showed a Cloudflare tunnel being created and run on June 23... C:\Windows\system32\cloudflared.exe tunnel run --token [REDACTED]
Leveraging a dual-use tool, PCHunter64, to acquire detailed process and system information. [T1082 – System Information Discovery] [T1105 – Ingress Tool Transfer]
the threat actor installed AteraAgent... successfully installing SplashTop Streamer... installed the Chrome Remote Desktop Host, RustDesk, and AnyDesk, all in rapid succession.
Incident #2 The threat actor almost immediately installed Cloudflare’s freely available tunnelling software here, C :\ProgramData\windows_update.exe , followed by the download and execution of another dual-use agent, Radmin [T1572 – Protocol Tunneling ] [T1219 – Remote Access Software]
Impact
3 techniques
Impact
The tactic used by Akira in this ransomware attack was to first shut down the virtual machine, and then followed by partial encryption of the VM virtual disk. | Partial or intermittent encryption is a technique where only parts of a file are encrypted. The specific pattern varies heavily among ransomware strains.
Other
2 techniques
Other
the threat actor launched the file C:\Users\<user>\AppData\Local\Temp\AVDefenderUninstall.bat, which appeared (based on subsequent EDR telemetry) to include attempts to remove various security tools. Based on several MsiInstaller messages observed in the investigative timeline, several of these attempts succeeded.
Windows Defender then detected and blocked an attempt to deploy Akira. At 08:24 UTC, a Microsoft-Windows-Windows Defender/5001 message indicated that Windows Defender Real-Time Protection (RTP) had been disabled... On one endpoint, Windows Defender was disabled after initially detecting and quarantining the Akira executable
IOCs tracked for this family
85 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware used in an intrusion where operators brute-forced a forgotten local SSLVPN account, performed discovery, Kerberoasting, RDP-based lateral movement, cleared logs, deleted shadow copies, and then encrypted systems.
Ransomware used in an intrusion where operators brute-forced a forgotten local SSLVPN account, performed discovery, Kerberoasting, RDP-based lateral movement, cleared logs, deleted shadow copies, and then encrypted systems.
A ransomware family whose affiliates were tied to Fox Tempest infrastructure and services.
A ransomware family linked by Microsoft’s investigation to Fox Tempest’s code-signing service.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.