Threat Profile: Akira Ransomware Group

Note

Executive Summary: Active since March 2023, Akira is a financially motivated Ransomware-as-a-Service (RaaS) syndicate. While their leak site features a nostalgic 1980s terminal aesthetic, their operational techniques are highly modern. Operating on a double-extortion model, they have recently shifted from pure credential abuse to actively exploiting perimeter vulnerabilities (such as SonicWall and Cisco VPNs) to compromise both Windows and VMware ESXi infrastructures.

1. Threat Actor Profile

• Type: Ransomware-as-a-Service (RaaS), Financially Motivated.
• Primary Targets: Education, finance, real estate, and manufacturing sectors, predominantly in North America and Europe.
• Core Arsenal:
  • Windows Payload: Written in C++, encrypts files and appends the .akira extension.
  • Linux/ESXi Payload: A specialized variant designed to target and paralyze VMware ESXi virtualization infrastructures.

2. Technical Tactics, Techniques, and Procedures (TTPs)

DFIR analysts tracking Akira intrusions consistently observe a distinct operational pattern mapped to the MITRE ATT&CK framework.

Initial Access & Persistence

Akira operators heavily rely on compromising perimeter devices. Historically, the US CISA identified their primary vector as the exploitation of Cisco VPN services lacking Multi-Factor Authentication (MFA). For persistence, the group deploys legitimate Remote Monitoring and Management (RMM) tools rather than custom backdoors. Common tools include AnyDesk, RustDesk, and Splashtop.

Credential Access & Lateral Movement

Once inside, the group utilizes tools like Mimikatz, LaZagne, and Pwdump to dump LSASS memory and extract credentials. Lateral movement is almost exclusively conducted via the Remote Desktop Protocol (RDP), often utilizing portable RDP clients like mstsc.exe.

Exfiltration & Impact

Data is exfiltrated prior to encryption to enable double-extortion. Akira operators favor legitimate synchronization tools, most notably Rclone, WinSCP, and FileZilla. To inhibit system recovery (Defense Evasion), the payload executes vssadmin.exe Delete Shadows /All /Quiet before initiating the encryption sequence.

Danger

Recent Activity (July - August 2025): A significant surge in Akira activity was observed exploiting zero-day and N-day vulnerabilities in SonicWall SSL VPN appliances. Organizations using these devices must prioritize patching and anomaly detection on perimeter logs.

---

3. DFIR Hunting & Detection Strategy

When responding to a suspected Akira incident (refer to the Ransomware Investigation Playbook), analysts must focus on specific forensic artifacts.

1. Perimeter Authentication Analysis: Audit VPN logs (Cisco, SonicWall) for unusual source IPs or impossible travel anomalies.
2. Execution Artifact Hunting: Parse Prefetch (.pf) Files and Amcache to identify the execution of mimikatz.exe, rclone.exe, or unauthorized RMM tools (AnyDesk.exe).
3. Lateral Movement Tracking: Filter Windows Security logs for Event ID 4624 (Logon Type 10) to trace the origin of internal RDP sessions.
4. Volume Shadow Copy Deletion: Monitor Sysmon or Windows Event Logs (Event ID 4688) for the execution of vssadmin.exe with shadow deletion parameters.

4. MITRE ATT&CK Mapping

Initial Access & Discovery

• Valid Accounts (T1078)
• Remote System Discovery (T1018)
• Network Share Discovery (T1135)

Credential Access & Lateral Movement

• OS Credential Dumping: LSASS Memory (T1003.001)
• Remote Desktop Protocol (T1021.001)

Exfiltration & Impact

• Exfiltration Over C2 Channel (T1041)
• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)

---

References

• CISA Advisory: AA24-109A (Akira Ransomware)
• Check Point Research: Akira Ransomware Profile
• The Hacker News (2025):Akira Ransomware Exploits SonicWall
• Arctic Wolf (2025): July 2025 Uptick in Akira Activity Targeting SonicWall