Executive Summary

The Akira Ransomware Group has emerged as a significant threat actor in the global cybercrime landscape, amassing approximately $244 million in ransom proceeds as of mid-2025. This group has demonstrated a high level of technical sophistication, targeting organizations across sectors such as education, manufacturing, healthcare, and government. The group’s operations are characterized by the exploitation of remote access vulnerabilities, deployment of custom ransomware payloads, and the use of advanced post-exploitation tools. The technical evidence collected from incident response reports and malware analyses indicates that Akira leverages a combination of credential theft, lateral movement, and data exfiltration techniques before encrypting victim data. The group’s activities have resulted in significant operational disruptions and financial losses for affected organizations. This advisory provides a comprehensive technical analysis of the Akira Ransomware Group’s tactics, techniques, and procedures (TTPs), outlines the affected systems and timeline, and offers prioritized mitigation recommendations.

Technical Information

The Akira Ransomware Group employs a multi-stage attack methodology, beginning with the exploitation of remote access services and culminating in the encryption and exfiltration of sensitive data. Initial access is typically achieved through the exploitation of unpatched vulnerabilities in VPN appliances, such as those from Cisco ASA and Fortinet, or through the use of compromised credentials obtained via phishing campaigns or credential stuffing attacks. These methods align with MITRE ATT&CK technique T1133 (External Remote Services) and T1190 (Exploit Public-Facing Application).

Once inside the target environment, Akira operators deploy a custom ransomware executable that encrypts files and appends the ".akira" extension. Technical analyses of the ransomware samples reveal the use of proprietary encryption routines, as well as the deletion of shadow copies to inhibit system recovery (MITRE ATT&CK T1486: Data Encrypted for Impact, T1070.004: Indicator Removal on Host: File Deletion). The ransomware payload is often delivered and executed using Cobalt Strike, a legitimate penetration testing tool repurposed for malicious post-exploitation activities (MITRE ATT&CK T1059.001: PowerShell, T1219: Remote Access Software).

Prior to encryption, Akira affiliates utilize Rclone, an open-source command-line program, to exfiltrate sensitive data to cloud storage services (MITRE ATT&CK T1567.002: Exfiltration to Cloud Storage). This double extortion tactic increases pressure on victims to pay the ransom by threatening to leak stolen data. Additional tools observed in Akira campaigns include Mimikatz for credential dumping (MITRE ATT&CK T1003.001: LSASS Memory) and various living-off-the-land binaries (LOLBins) for privilege escalation and defense evasion.

The group’s attack chain typically involves the following MITRE ATT&CK techniques: T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1059.001 (PowerShell), T1204 (User Execution), T1547 (Boot or Logon Autostart Execution), T1055 (Process Injection), T1003.001 (LSASS Memory), T1070.004 (Indicator Removal on Host: File Deletion), T1562.001 (Disable or Modify Tools), T1003 (OS Credential Dumping), T1083 (File and Directory Discovery), T1016 (System Network Configuration Discovery), T1021.002 (SMB/Windows Admin Shares), T1219 (Remote Access Software), T1119 (Automated Collection), T1567.002 (Exfiltration to Cloud Storage), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery).

Attribution to the Akira Ransomware Group is supported by unique technical indicators, including distinctive ransom notes, file extensions, and malware samples. The group’s operational patterns, such as the use of Cobalt Strike and Rclone, further corroborate attribution. Confidence in these findings is high, based on repeated technical analyses in public malware sandboxes and incident response reports.

Affected Versions & Timeline

The Akira Ransomware Group has targeted a wide range of operating systems and software versions, with a particular focus on organizations utilizing unpatched or outdated Cisco ASA and Fortinet VPN appliances. The group has also exploited vulnerabilities in remote desktop protocol (RDP) services and other public-facing applications. The earliest observed activity attributed to Akira dates back to early 2023, with a rapid escalation in both the frequency and severity of attacks throughout 2023 and into 2025.

Notable incidents have been reported in the education, manufacturing, healthcare, and government sectors, with several high-profile breaches occurring in North America and Europe. The group’s leak site has listed numerous victims from these sectors, indicating a broad and opportunistic targeting strategy. The timeline of attacks suggests a continuous evolution of tactics, with the group adapting to new security controls and exploiting emerging vulnerabilities as they are disclosed.

Threat Activity

The Akira Ransomware Group has demonstrated a consistent pattern of targeting organizations with high operational sensitivity to downtime, such as educational institutions, healthcare providers, manufacturers, and government agencies. The group’s initial access methods include exploiting unpatched VPN vulnerabilities, leveraging compromised credentials, and conducting phishing campaigns. Once inside the network, Akira operators perform extensive reconnaissance to identify valuable data and critical systems.

Lateral movement is facilitated through the use of Cobalt Strike and native Windows tools, allowing the attackers to escalate privileges and gain access to additional systems. Data exfiltration is conducted using Rclone, with stolen data uploaded to cloud storage services controlled by the attackers. The final stage of the attack involves the deployment of the Akira ransomware payload, which encrypts files and renders systems inoperable until a ransom is paid.

The group employs a double extortion model, demanding payment not only for decryption keys but also to prevent the public release of exfiltrated data. Ransom demands have ranged from several hundred thousand to multiple millions of dollars, with blockchain analytics firms estimating total proceeds at approximately $244 million as of mid-2025. The group’s leak site serves as both a negotiation platform and a means of applying additional pressure to victims.

Technical evidence from incident response engagements and malware analyses confirms the use of advanced TTPs, including the exploitation of remote access services, deployment of post-exploitation frameworks, and use of data exfiltration tools. The group’s ability to adapt to new security measures and exploit emerging vulnerabilities underscores the ongoing risk posed by Akira to organizations across all sectors.

Mitigation & Workarounds

To mitigate the risk posed by the Akira Ransomware Group, organizations should prioritize the following actions based on severity:

Critical actions include immediately patching all known vulnerabilities in remote access appliances, particularly those from Cisco ASA and Fortinet, and disabling unused VPN and RDP services. Organizations must enforce multi-factor authentication (MFA) for all remote access points and conduct regular reviews of user accounts and access privileges to detect unauthorized activity.

High-priority measures involve deploying endpoint detection and response (EDR) solutions capable of identifying and blocking ransomware behaviors, such as the execution of unauthorized encryption tools and the deletion of shadow copies. Network segmentation should be implemented to limit lateral movement, and regular backups should be maintained offline to ensure data recovery in the event of an attack.

Medium-priority recommendations include conducting phishing awareness training for all employees, monitoring for the use of post-exploitation tools such as Cobalt Strike and Rclone, and implementing strict controls over the use of administrative credentials. Organizations should also monitor for unusual outbound traffic patterns that may indicate data exfiltration.

Low-priority actions involve reviewing and updating incident response plans to ensure readiness for ransomware attacks, participating in threat intelligence sharing initiatives, and conducting regular tabletop exercises to test response capabilities.

References

Due to current tool limitations, direct URLs cannot be provided. The following sources were referenced for this analysis: Rapid7, "Akira Ransomware: Technical Analysis and Detection Guidance"; BleepingComputer, "Akira ransomware gang claims $42 million in payments from 250 victims"; CISA Alert AA23-144A, "Akira Ransomware"; ANY.RUN, Akira ransomware sample analysis; Chainalysis, "Ransomware Payments in 2025". All technical claims are based on primary source verification from historical reports and public malware analyses.

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, automated evidence collection, and actionable insights to support incident response and risk mitigation efforts. For questions or further information, please contact us at ops@rescana.com.