Understanding Akira: A Persistent Ransomware Threat

In the ever-evolving landscape of cybersecurity, staying informed about emerging threats is crucial for organizations to protect their digital assets. One such threat that has garnered attention is the ransomware group known as Akira, named after its inaugural ransomware strain unleashed in March 2023. Believed to have originated as a splinter cell from the Conti group, Akira has since established itself as a formidable adversary, employing sophisticated tactics to infiltrate and extort organizations worldwide.

Evolution of Tactics

Akira’s journey began with its initial ransomware, crafted in C++, before transitioning to a more advanced Rust-based variant called Megazord. This evolution underscores the group’s adaptability and commitment to staying ahead of cybersecurity defenses. However, what truly sets Akira apart is its adoption of a double extortion scheme. This tactic involves exfiltrating sensitive data before encrypting devices within a targeted network, amplifying the pressure on victims to comply with their demands.





Active Scanning


Gather Victim Identity Information


Gather Victim Network Information


Gather Victim Org Information: Identify Roles


OS Credential Dumping: LSASS Memory


Exfiltration Over Alternative Protocol


Remote Services: Remote Desktop Protocol


Command and Scripting Interpreter: PowerShell


Native API


Exploit Public-Facing Application


Data Encrypted for Impact


Inhibit System Recovery




Compromise Infrastructure

arget Preferences and Tactics

Akira exhibits a clear preference for victims in the United States and US-aligned countries such as the UK, Australia, and Canada. Industries such as Services & Goods, Manufacturing, Education, and Construction are among their favored targets due to their reliance on digital infrastructure and valuable data. The group employs various tactics, including dictionary attacks against Internet-exposed devices and exploiting known vulnerabilities such as CVE-2023-20269 within the Cisco ASA Authentication, Authorization, and Accounting (AAA) functionality.


Execution and Encryption

Once inside a network, Akira employs a range of tools and techniques for lateral movement, including dumping LSASS, using RDP, SMB, PCHunter64, LaZagne, and Mimikatz to harvest credentials. The group has also targeted specific vulnerabilities within backup solutions like Veeam to gain access to domain admin credentials. For exfiltration, Akira prefers tools like RClone, WinSCP, and FileZilla. Following exfiltration, Akira or Megazord encrypts files selectively, deleting volume shadow copies through PowerShell to hinder recovery efforts.


Facing the Threat

Akira’s impact on organizations is profound, with an average of 18.5 successful attacks per month and ransom demands sometimes reaching into the hundreds of millions. To mitigate the risk posed by Akira and similar ransomware groups, organizations must prioritize cybersecurity measures. This includes implementing robust incident response protocols, regularly updating software and patches to address known vulnerabilities, and educating employees about the importance of cybersecurity hygiene.


In conclusion, while the threat posed by Akira is significant, proactive measures can help organizations bolster their defenses and minimize the risk of falling victim to ransomware attacks. By remaining vigilant and adopting a multi-layered approach to cybersecurity, organizations can mitigate the impact of ransomware threats and safeguard their valuable data and assets.

Related Blogs