Akira Ransomware Group
Introduction
Akira ransomware is a relatively new but highly active ransomware group that emerged in March 2023. Despite its short time in operation, Akira has already gained notoriety for targeting enterprises, government institutions, healthcare, education, and financial sectors.
Unlike some Ransomware-as-a-Service (RaaS) operations, Akira runs a semi-private affiliate model, meaning it carefully selects its partners rather than allowing open recruitment. The group uses a double extortion technique, encrypting victims' files while also stealing sensitive data, threatening to leak it unless the ransom is paid.
Akira is believed to be connected to former Conti or Ryuk ransomware operators, based on code similarities and attack methodologies.
Key Information
Active Since: March 2023 – Present
Threat Actor Type: Semi-Private Ransomware Operation (Affiliate-Based)
Affiliations: Possible ties to Conti, Ryuk, and Russian-speaking ransomware actors
Primary Attack Model: Double Extortion (File Encryption + Data Theft)
Targeted Sectors:
Financial Services
Healthcare & Pharmaceuticals
Manufacturing & Industrial Enterprises
Educational Institutions
Government Agencies
What Makes Akira Unique?
Hybrid attack model: Uses both encryption and data theft for ransom leverage.
Prefers exploiting enterprise VPN and RDP vulnerabilities.
Allows victims to negotiate for partial data recovery payments.
Code similarities to Conti ransomware suggest former members are involved.
MITRE ATT&CK Techniques (TTPs) – Akira Ransomware
Akira ransomware follows a structured attack methodology that aligns with the MITRE ATT&CK framework (S1129). Below is the confirmed list of techniques used by Akira.
Execution (Deploying the Ransomware Payload)
T1059.001 – Command and Scripting Interpreter: PowerShell
Akira executes PowerShell commands to delete system volume shadow copies, preventing recovery.
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
The ransomware runs from the Windows command line and supports multiple execution parameters.
Discovery (Reconnaissance & System Profiling)
T1083 – File and Directory Discovery
Akira examines files before encryption, checking if they meet specific requirements using Windows API functions like GetFileAttributesW.
T1135 – Network Share Discovery
The ransomware identifies accessible remote file shares for potential encryption.
T1057 – Process Discovery
Akira verifies the deletion of volume shadow copies by checking for the process ID of the deletion command.
T1082 – System Information Discovery
Akira uses GetSystemInfo, a Windows function, to collect details about the number of processors on a victim’s machine.
Defense Evasion & Privilege Escalation
T1047 – Windows Management Instrumentation (WMI)
Akira leverages COM objects via WMI during execution to evade detection and avoid security monitoring.
T1106 – Native API
Uses native Windows API calls like GetFileAttributesW and GetSystemInfo to interact with the system without triggering security alerts.
Impact (Ransomware Encryption & System Disruption)
T1486 – Data Encrypted for Impact
Akira encrypts files on the victim’s filesystem for financial extortion purposes.
T1490 – Inhibit System Recovery
The ransomware deletes system volume shadow copies via PowerShell commands, ensuring victims cannot restore their files.
Notable Attacks & Financial Impact
High-Profile Victims
Akira has targeted multiple industries, including:
Financial institutions
Healthcare providers
Educational institutions
Critical infrastructure sectors
Estimated Financial Impact
Ransom demands range from $200,000 to $4 million per victim.
Victims who refuse to pay have their data leaked on Akira’s dark web leak site.
Total estimated damages exceed $100 million in 2023 alone.
Affiliations & Evolution
Potential Links to Conti & Ryuk Ransomware
Akira’s ransomware code shares similarities with Conti, suggesting former Conti members may be involved.
The group’s operational style resembles Ryuk, particularly in how it selects high-value targets and negotiates ransom payments.
How Akira Differs from Other Ransomware Groups
Unlike LockBit or Cl0p, Akira still encrypts files rather than relying solely on data theft.
Operates a selective affiliate model, rather than fully open RaaS recruitment.
Uses modern attack techniques such as Cobalt Strike for post-exploitation and custom ransomware payloads.
Defensive Recommendations Against Akira Attacks
Given Akira’s focus on enterprise VPN exploits, RDP weaknesses, and data theft, organizations must adopt proactive security measures.
Preventative Measures
✅ Patch Vulnerabilities in VPN & RDP Services – Akira frequently exploits unpatched Fortinet, Citrix, and Pulse Secure VPNs.
✅ Implement Multi-Factor Authentication (MFA) – Prevents Akira from using stolen credentials for access.
✅ Monitor Lateral Movement & C2 Communications – Detect Cobalt Strike beacons and unusual PowerShell execution.
✅ Restrict RDP & Remote Admin Access – Lock down exposed RDP ports and enforce zero-trust access controls.
✅ Regularly Backup Critical Data – Ensures business continuity in case of ransomware encryption.
✅ Deploy Threat Intelligence & Dark Web Monitoring – Identify leaked credentials or attack indicators early.
Final Thoughts
Akira ransomware is an emerging yet highly dangerous cyber threat, blending traditional ransomware encryption with modern extortion tactics. With potential links to former Conti operators, it is expected to expand its operations throughout 2024.
Unlike Cl0p, which focuses on pure data extortion, Akira continues to encrypt files, making it a hybrid threat. Organizations should harden security controls, monitor for suspicious activity, and proactively secure VPN/RDP environments to reduce the risk.
Sources
[Dark Web Intelligence & Leak Site Monitoring]
