Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Akira
Akira, a ransomware group active since March 2023, operates as a Ransomware-as-a-Service (RaaS) platform targeting organizations globally across critical industries, including healthcare, manufacturing, and finance. Leveraging advanced tactics such as exploiting VPN vulnerabilities and double extortion, Akira poses a significant threat to businesses and infrastructure worldwide.
Threat Actor Profile
Akira
Country of Origin
The precise country of origin for the Akira ransomware group remains unknown. However, some overlap in tools and techniques suggests potential affiliations or shared origins with other prominent ransomware operators, such as Conti.
Members
The size and specific members of the Akira group have not been definitively identified. Given the RaaS framework, the group likely consists of a core team of developers and administrators, accompanied by a broad network of affiliates responsible for deploying the ransomware.
Leadership
Details regarding the leadership of the Akira group are unknown. The structure of the group remains largely speculative, though evidence suggests a hierarchical RaaS model with affiliate operators carrying out attacks.
Akira TTPs
Tactics
The primary goals of Akira are financial gain through ransomware attacks, leveraging encryption and subsequent data exfiltration to demand ransoms. They utilize a double extortion method by threatening to release stolen data if victims refuse to pay.
Techniques
Akira primarily exploits vulnerabilities in external-facing systems, such as VPNs with weak or missing multi-factor authentication (MFA), or unpatched firewalls. Phishing and social engineering tactics are also employed to steal credentials. Once inside, they use credential dumping tools like Mimikatz to escalate privileges and move laterally across the victim network.
Procedures
Notable procedures include exploiting vulnerabilities in popular platforms (e.g., Cisco ASA, SonicWall), using remote access with compromised credentials, disabling endpoint defenses, and encrypting data with their evolving payloads like Akira_v2, developed in Rust for improved efficiency and stealth.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
Indicators of VPN exploitation (e.g., CVE-2023-20269 vulnerabilities)
Use of tools like Advanced IP Scanner and Mimikatz
Malware signatures including files with .akira and new Rust-based extensions
Stolen administrative credentials discovered in unauthorized logins or access attempts.
Key Victims
Akira has targeted numerous sectors globally, with healthcare, manufacturing, financial services, and education being hit especially hard. Some critical infrastructure entities have also been reported as victims of their attacks.
Notable Cyberattacks
One major incident attributed to Akira involved ransomware attacks on multiple hospitals across North America, severely impacting patient care. Another high-profile attack targeted a global logistics company, disrupting operations and creating significant financial losses.
Law Enforcement & Arrests
No arrests or significant actions have been reported against Akira's operations to date. However, global law enforcement remains actively involved in combating ransomware groups of this scale and sophistication.
How to Defend Against Akira
1
Enforce robust multi-factor authentication (MFA) across all external access points.
2
Regularly patch known vulnerabilities in VPNs, firewalls, and other critical systems.
3
Deploy advanced detection tools like EDR/XDR to identify suspicious lateral movements, credential access, and backup tampering.
4
Maintain secure, offline backups and test recovery plans to mitigate the impact of encryption attempts.
Huntress tools, such as Managed Endpoint Detection & Response, can help monitor activity related to Akira's TTPs and provide actionable alerts for mitigation.
References
Other RaaS Threat Actors
BlackCat
BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims.
