Akira ransomware first emerged in 2023 as a ransomware-as-a-service (RaaS) operation. It has quickly gained popularity among threat actors, becoming the most active ransomware observed by MOXFIVE in 2024. Over the past year, Akira has established a volatile presence on the threat landscape, frequently shifting its targets and adapting its tactics for delivering ransomware.

Threat actors deploying Akira are well-known for exploiting vulnerabilities to gain initial access and escalate privileges. The group has evolved over time, releasing different versions of Akira to target both Linux and Windows environments. Most recently, in October 2024, Akira shifted back to double-extortion tactics after focusing only on data exfiltration throughout much of the year.

Key Highlights
‍
Targeted Industries: Akira ransomware has been deployed against a wide range of industries, demonstrating the threat actors’ flexibility in victim selection. While these attacks span multiple sectors, recent months have shown a notable concentration on Manufacturing and Professional Services.

Ransomware Payment Demands: Akira ransomware's initial ransom demands have averaged around $400,000 in recent incidents. However, demands have sometimes reached millions, reflecting the perceived value of the encrypted data and the size of the targeted organization. In many instances, ransom negotiations have successfully reduced initial demands by 60-70%. Earlier versions of Akira’s encryption software contained flaws that allowed certain victims to decrypt files without paying. The group has since released an updated version that remediates this bug, minimizing opportunities for unauthorized decryption.

Notable Leveraged Exploits:
Akira threat actors swiftly incorporate newly disclosed vulnerabilities into their campaigns, adapting quickly to exploit weaknesses in widely used software and network applications. Threat actors have exploited several high-impact vulnerabilities to gain access to victim environments, including the following:‍

• CVE-2023-20269 (Cisco ASA and FTD): A zero-day vulnerability in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, allowing unauthorized VPN access through brute-forced credentials. Akira has exploited this since 2023.
• CVE-2024-40711 (Veeam Backup & Replication): A critical remote code execution vulnerability in Veeam Backup & Replication software, exploited in Akira campaigns during October 2024 to gain access via compromised VPN credentials.
• CVE-2024-40766 (SonicWall SSL-VPN): A critical access control vulnerability in SonicWall SSL-VPN appliances, disclosed in August 2024, that enables unauthorized access. Akira has exploited this vulnerability to infiltrate environments, especially when multifactor authentication (MFA) is not implemented.

Data Exfiltration:
Threat actors leverage widely accessible tools to stage and exfiltrate data efficiently, further pressuring victims through the threat of public exposure. Tools frequently observed in Akira exfiltration operations include:

• Advanced IP Scanner – Used to perform network reconnaissance, enabling Akira to map connected devices and pinpoint valuable assets within compromised networks.
• WinRAR – Employed to compress and stage data for exfiltration, facilitating handling of large data volumes.

• WinSCP – Utilized to transfer staged data, allowing Akira to securely exfiltrate data from compromised networks with minimal detection.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.