Know Your Adversary: Akira
Akira are one of the most well known ransomware groups. Whilst their tools, tactics and techniques have evolved over time, this article looks at their approach as of May 2025. What is their most common attack vector? How can incident responders detect and investigate the Akira threat?
Summary
Akira is a double-extortion ransomware operation that steals data first, then encrypts it, pressuring victims with both operational outage and public exposure. The group runs as a Ransomware-as-a-Service, supplying affiliates with Windows, Linux and ESXi encryptors that append “.akira” to files (although alternative extensions such as .powerranges and .akiranew have also been observed). The payload uses a hybrid ChaCha20 + RSA scheme and wipes Volume Shadow Copies to thwart recovery. Initial access most often comes via VPN appliances that lack multifactor authentication or are un-patched (for exampke, CVE-2020-3259 and CVE-2023-20269 were Akira's personal favourites for a while), although spear-phishing, exposed RDP and purchased credentials have also been observed in a smaller number of cases. Akira’s affiliates routinely exfiltrate gigabytes of data with tools such as Rclone, WinSCP and FileZilla before launching the encryptor, then list victims on a TOR leak portal.
Background
Akira’s public activity began in March 2023, debuting with a “retro” DOS-style leak site that quickly attracted attention in the incident-response community. Within ten months the group had expanded to a Linux/ESXi variant (“Megazord” and later “Akira_v2” written in Rust) and, by 1 January 2024, had hit more than 250 organisations across North America, Europe and Australia, netting roughly $42 million in ransoms. Victimology spans education, manufacturing, healthcare, finance and critical infrastructure, indicating broad affiliate participation rather than vertical specialisation.
Attack Vector
- VPN compromise – The overwhelming majority of intrusions start with single-factor VPN portals. Actors brute-force or spray credentials, or harvest them directly from vulnerable firewalls (e.g., CVE-2020-3259 or CVE-2023-20269). Once a foothold is gained, Kerberoasting and LSASS dumps provide additional credentials for lateral movement.
- External-facing services – Akira affiliates have also been known to exploit exposed RDP using legitimate credentials (e.g., acquired from the dark web). Similar to their use of VPNs for remote access, but authenticating directly onto devices where RDP has been internet-exposed (e.g., via a poorly configured firewall).
- Spear-phishing – In rare cases, Akira incidents have been attributed to spear-phishing with malicious attachments used to establish an initial foothold, either by installing malware or credential harvesting that are later utilised to login via an MFA-less VPN.
Persistence
In 2025, Akira and their affiliates have preferred enterprise remote access tools for persistence, often AnyDesk. If an organisation already utilises one of these tools, fresh installations across the estate are often required to combat scenarios where Akira have installed secondary versions of the legitimately used tool in order to hide in plain sight.
Tools Observed
| Stage | Key Tools & Techniques | What to Hunt For |
|---|---|---|
| Recon & Credential Access | AdFind, Advanced IP Scanner, SoftPerfect netscan, Kerberoasting scripts, Mimikatz, LaZagne | Unusual use of AdFind from admin workstations; LSASS dumps; clear-text creds in C:\Temp |
| Lateral Movement & C2 | AnyDesk, RustDesk, Ngrok, Cloudflare Tunnel, MobaXterm | Beacons to ngrok.io or 185.199.*, new AnyDesk IDs, outbound SSH over high ports |
| Exfiltration | Rclone, WinSCP, FileZilla, WinRAR/7-Zip split archives | Large outbound transfers to Mega.nz or temp SFTP servers, sequential RAR volumes |
| Impact | Akira / Megazord encryptors, w.exe, PowerShell vssadmin delete shadows, net use * /del | Unexpected .akira / .powerranges extensions, ransom notes in targeted directories. |
Data Impact
Akira runs a two-step extortion playbook: data theft followed by selective or full encryption. Exfiltrated data is stored on attacker-controlled Mega/S3/other storage buckets and advertised on a TOR leak site if negotiations stall. Encryption is multi-threaded for speed, supports per-file partial encryption and can be tuned at runtime to target ESXi virtual disks directly. Affiliates sometimes telephone victims to increase psychological pressure.
Akira are known to not always name victims or publish data. Unlike other threat groups, if an organisation never engages with Akira it is not uncommon for no naming or publication to take place. If an organisation does engage with negotiations and then stops, naming/publication almost always occurs.
Fight Akira with Strand Intelligence
Akira’s blend of credential abuse, commodity tooling and rapid encryption leaves little time for manual response. Strand Intelligence automates the heavy lifting: it traces VPN ingress, maps lateral movement, isolates AnyDesk/RustDesk persistence and reconstructs exfiltration paths, all while generating a full forensic report you can hand to executives or law enforcement. If Akira is your adversary, let Strand close the dwell-time gap and help you recover faster.