>samit_hota
Back to adversary profiles
G1024HighActive

Akira Ransomware: A Persistent and Evolving Global Threat

Samit Hota·
Suspected Origin
Russia (Suspected)
Motivation
Financial Gain
Aliases
GOLD SAHARA, PUNK SPIDER, Howling Scorpius
Target Sectors
Education, Financial Services, Healthcare and Public Health, Information Technology, Critical Manufacturing, Food and Agriculture, Manufacturing, Professional Services, Technology, Government, Legal, Real Estate
Associated Malware
Akira, Megazord, Akira_v2, SystemBC, AnyDesk, LogMeIn, MobaXterm, RustDesk, Cloudflare Tunnel, Ngrok, FileZilla, WinRAR, WinSCP, RClone, 7-Zip, SharpDomainSpray, PowerTool, PsExec, SoftPerfect, Adfind, Impacket, Cobalt Strike, Mimikatz, LaZagne, PCHunter64, PowerShell, WMIC
#threat-actor#g1024

Overview

Akira (MITRE ATT&CK ID: G1024), also known by aliases such as GOLD SAHARA, PUNK SPIDER, and Howling Scorpius, is a formidable ransomware-as-a-service (RaaS) operation that emerged in March 2023. This group swiftly established itself as a significant threat actor, demonstrating a high level of technical sophistication and operational adaptability. Their primary motivation is financial gain, achieved through a “double extortion” model where they not only encrypt victim data but also exfiltrate it, threatening public release if a ransom is not paid. Ransoms typically range from hundreds of thousands to millions of dollars, demanded in Bitcoin. As of late September 2025, Akira has collectively extorted approximately $244.17 million USD from its victims.

While the precise country of origin for Akira remains unconfirmed, evidence strongly suggests a Russian nexus. Observations by security researchers indicate Akira communicating in Russian on darkweb cybercrime forums, and the ransomware binary notably lacks a function to terminate if a Russian keyboard layout is detected, a common trait among Russian-speaking threat groups aiming to avoid domestic targeting. Furthermore, technical analysis has revealed overlaps in tools and techniques with the defunct Conti ransomware group, implying potential affiliations or shared origins.

Akira casts a wide net globally, with a pronounced focus on entities in North America, Europe, and Australia. Within these regions, they have shown a particular preference for educational institutions and organizations across Critical Manufacturing, Information Technology, Healthcare and Public Health, Financial Services, and Food and Agriculture sectors. While many ransomware groups target large enterprises, Akira frequently targets small and medium-sized businesses (SMBs), with approximately 80% of their victims falling into the 1 to 200 employee range. However, their operations have also impacted larger organizations, underscoring their opportunistic yet capable approach.

Tactics & Techniques

Akira’s attack lifecycle is characterized by speed and a reliance on exploiting common vulnerabilities and misconfigurations. Initial access is predominantly gained through compromised Virtual Private Network (VPN) credentials, often targeting services lacking multi-factor authentication (MFA). They actively exploit known vulnerabilities in public-facing applications, including those in SonicWall firewall devices (CVE-2024-40766) and Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms (CVE-2023-20269, CVE-2020-3259). Other initial vectors include brute-forcing VPN endpoints and Remote Desktop Protocol (RDP), password spraying techniques (e.g., using SharpDomainSpray), and exploiting vulnerabilities in backup solutions like Veeam Backup & Replication (CVE-2023-27532, CVE-2024-40711). Phishing and spear-phishing campaigns are also employed to harvest credentials.

Once inside, Akira threat actors quickly establish persistence and escalate privileges. They often create new domain accounts, sometimes using generic names like “itadm,” and leverage legitimate remote access tools such as AnyDesk and LogMeIn to maintain access and blend with legitimate administrator activity. For privilege escalation, they frequently employ techniques like Kerberoasting and dump credentials from Local Security Authority Subsystem Service (LSASS) memory, sometimes using tools like Mimikatz or LaZagne. They also exploit local vulnerabilities, such as PrintNightmare (CVE-2021-34527), to gain SYSTEM privileges.

Defense evasion is a critical phase, with Akira threat actors actively disabling security software using tools like PowerTool to exploit drivers like Zemana AntiMalware and terminate antivirus processes. They uninstall Endpoint Detection and Response (EDR) systems and utilize legitimate system tools and commands (PowerShell, WMIC, Visual Basic scripts) to execute malicious actions and blend into the environment.

For discovery, Akira conducts extensive network reconnaissance, using built-in tools like ping, arp -a, and netstat, alongside specialized utilities like SoftPerfect netscan.exe, Adfind, and nltest, to map networks, enumerate Active Directory objects, and identify domain trusts. Lateral movement is achieved through legitimate remote access tools like RDP, SSH, AnyDesk, LogMeIn, and MobaXterm. They also use tools like PsExec to run commands on remote systems, PowerShell Remoting for payload execution, and Impacket’s wmiexec.py for remote command execution.

Before encryption, Akira collects and exfiltrates sensitive data. They commonly compress data using tools such as FileZilla, WinRAR, 7-Zip, or tailored scripts to streamline the process. For exfiltration, they leverage legitimate file transfer utilities like WinSCP, RClone, and FileZilla, often sending data to cloud storage services like Mega. Ngrok and Cloudflare Tunnel are also used to create secure tunnels for data exfiltration and Command and Control (C2) communications.

The final impact phase involves the encryption of systems and data, coupled with aggressive measures to inhibit recovery. Akira employs a sophisticated hybrid encryption scheme, combining ChaCha20 with RSA for fast and secure key exchange. They target both Windows and Linux environments, with a notable and aggressive focus on VMware ESXi hypervisors. In recent attacks, they have expanded to target Nutanix Acropolis Hypervisor (AHV) systems. To prevent victims from recovering their files, Akira deletes Volume Shadow Copies using PowerShell or WMI. The ransom note, typically named fn.txt, provides a unique code and instructions to contact the threat actors via a .onion URL on the Tor network.

Notable Campaigns

Since its inception in March 2023, Akira has engaged in numerous high-profile and widespread campaigns. By January 2024, the group had reportedly attacked over 250 organizations. A significant trend observed in 2024 was Akira’s aggressive focus on VMware ESXi environments, which accounted for approximately 50% of their attacks.

Notable incidents attributed to Akira include a claimed exfiltration of 430 GB of data from Stanford University’s Department of Public Safety in October 2023. In December 2023, Nissan Oceania reported a data impact affecting 100,000 individuals due to an Akira attack. The Finnish IT services and cloud hosting provider Tietoevry was also hit in January 2024, leading to significant outages for its cloud customers. In a notable financial payout, a Singapore-based law firm, Shook Lin & Bok, reportedly paid a $1.4 million ransom in Bitcoin to Akira in June 2024. In April 2025, the major cyber-infrastructure provider Hitachi Vantara also reported a disruptive ransomware incident linked to Akira.

A particularly aggressive campaign began in July 2025, where Akira actively exploited CVE-2024-40766 in SonicWall firewall devices, specifically targeting the remote access infrastructure of financial institutions. This campaign leveraged previously exfiltrated credentials, including those protected by OTP MFA, and demonstrated extraordinarily short dwell times, with attackers moving from initial access to encryption in under four hours, and some incidents as fast as 55 minutes.

Associated Malware & Tools

Akira employs a versatile toolkit comprising custom ransomware variants and numerous legitimate tools repurposed for malicious activities. Their primary ransomware variants include the original C++-based Akira encryptor, which appends .akira to encrypted files, and the Rust-based Megazord encryptor, identified by the .powerranges extension. They also developed Akira_v2, specifically targeting VMware ESXi hypervisors, and have expanded their encryptor capabilities to include Nutanix AHV systems. While Megazord has reportedly seen reduced use since 2024, Akira continues to shift between its various payloads, demonstrating continuous evolution in their offensive capabilities.

The group extensively utilizes readily available, legitimate remote access software such as AnyDesk, LogMeIn, MobaXterm, and RustDesk for lateral movement and persistence. For data exfiltration, they rely on standard file transfer tools like FileZilla, WinRAR, WinSCP, RClone, and 7-Zip, often transferring data to cloud services like Mega. Command and Control (C2) communications often leverage tunneling utilities such as Ngrok and Cloudflare Tunnel to establish encrypted sessions and bypass perimeter monitoring.

Other tools commonly observed in Akira operations include SystemBC (a multi-purpose malware functioning as a remote access trojan and proxy bot), SharpDomainSpray for password spraying, PowerTool for disabling security software, and PsExec for executing commands on remote systems. For network discovery and credential dumping, they use utilities like SoftPerfect netscan.exe, Adfind, nltest, Mimikatz, LaZagne, and PCHunter64. They also leverage commercial penetration testing frameworks like Cobalt Strike and exploit scripting interpreters such as PowerShell and WMIC.

Current Status

Akira remains an exceptionally active and evolving threat actor, demonstrating no signs of slowing its operations. Joint advisories from agencies like the FBI, CISA, and Europol, updated as recently as November 2025, highlight Akira’s continuous evolution and classify it as an imminent threat to critical infrastructure.

The group’s activity has consistently grown, with ransomware proceeds increasing significantly year-over-year. As of Q1 2026, Akira ranked as the second most prolific ransomware group globally, behind only Qilin, posting 84 new victims in March 2026 alone and accumulating over 1,400 victims since 2023. Their adaptable tactics, including the rapid exploitation of newly discovered vulnerabilities and continuous refinement of their post-payment laundering infrastructure, underscore their sophistication and determination to evade detection and enforcement efforts. Organizations must maintain heightened vigilance and robust defensive postures against this persistent and dangerous threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call