This alert underscores the urgency for organizations across sectors to understand Akira’s tactics and implement robust defenses to mitigate the risk of compromise.
In a sweeping joint cybersecurity advisory issued in April 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners including the Canadian Centre for Cyber Security (CCCS), United Kingdom’s National Cyber Security Centre (NCSC-UK), and the Netherlands’ National Cyber Security Centre (NCSC-NL) highlighted the growing threat posed by the Akira ransomware group to critical infrastructure. This collaborative alert underscores the urgency for organizations across sectors to understand Akira’s tactics and implement robust defenses to mitigate the risk of compromise.
Who Is Akira?
Akira ransomware actors have been active since March 2023, targeting a wide range of sectors including manufacturing, critical infrastructure, education, healthcare, financial services, and IT. Initially focused on Windows systems, Akira expanded its reach by developing a Linux variant to attack VMware ESXi virtual machines. By late 2025, the group had reportedly extorted over $244 million in ransom payments.
Critical CVEs Linked to Akira Attacks
Akira ransomware has been linked to several high-profile vulnerabilities (CVEs) that it exploits to gain initial access and escalate privileges within target networks. Organizations should prioritize patching the following CVEs to mitigate risk:
- CVE-2018-13379 – Fortinet FortiOS SSL VPN path traversal
- CVE-2020-3259 – Cisco ASA/FTD information disclosure
- CVE-2020-2021 – Palo Alto PAN-OS authentication bypass
- CVE-2021-33617 – Windows Print Spooler privilege escalation
- CVE-2022-1388 – F5 BIG-IP remote code execution
- CVE-2023-20269 – Cisco ASA brute-force vulnerability
- CVE-2023-27524 – Apache Superset default secret key exposure
How Akira Operates
Akira’s operations are marked by technical sophistication and adaptability. Here are some key tactics:
- Initial Access: Exploiting vulnerabilities in VPNs (especially SonicWall and Cisco products) and using stolen credentials or brute-force attacks.
- Execution: Deploying malware via Visual Basic scripts and PowerShell commands.
- Persistence: Creating new domain or local admin accounts (e.g., “itadm”) to maintain access.
- Privilege Escalation: Exploiting vulnerabilities in backup software like Veeam and using tools like Mimikatz and LaZagne.
- Lateral Movement: Using remote access tools such as AnyDesk, LogMeIn, and SSH to move across networks.
- Data Exfiltration: Leveraging tools like RClone, WinSCP, and Ngrok to steal data before encryption.
- Encryption: Utilizing a hybrid encryption scheme (ChaCha20 + RSA) and appending file extensions like .akira, .powerranges, or .akiranew.
Akira also employs a double-extortion model by encrypting data and threatening to leak it unless a ransom is paid. Victims are contacted via Tor-based communication channels, and in some cases, even by phone.
What Can Organizations Do?
CISA and its partners recommend several critical actions:
- Patch Known Vulnerabilities: Prioritize remediation of exploited CVEs, especially in internet-facing systems.
- Implement MFA: Use phishing-resistant multi-factor authentication across all critical services.
- Backup Data: Maintain offline, encrypted backups and regularly test restoration procedures.
- Segment Networks: Limit lateral movement by isolating critical systems.
- Monitor and Detect: Use endpoint detection and response (EDR) tools to identify unusual activity.
- Limit Admin Access: Apply the principle of least privilege and audit admin accounts regularly.
Tools of the Trade
Akira actors use a mix of legitimate and malicious tools, including:
- Reconnaissance: AdFind, Advanced IP Scanner
- Credential Dumping: Mimikatz, LaZagne
- Remote Access: AnyDesk, LogMeIn
- Data Exfiltration: RClone, FileZilla, WinRAR
- Obfuscation: 7-Zip, PowerTool
Final Thoughts
The Akira ransomware campaign is a stark reminder that cybercriminals are constantly innovating. Organizations must remain vigilant, proactive, and collaborative in their defense strategies. For a comprehensive list of indicators of compromise (IOCs), tools, and mitigation strategies, visit: StopRansomware.gov.
