Educational
Sep 2, 2025

Akira Ransomware: Technical Details, TTPs and Attack Process

Background and overview – Akira operates as a Ransomware as a Service (RaaS) platform and carries strong links to the leaked Conti source code. Affiliates conduct “DOUBLE EXTORTION”: they exfiltrate data before encrypting systems, then threaten to leak it if a ransom is not paid. The group has published hundreds of victims since its emergence in early 2023 and continues to target organizations in North America, the U.K. and Australia.

Akira Ransomware: Technical Details, TTPs and Attack Process

Low-code tools are going mainstream

Purus suspendisse a ornare non erat pellentesque arcu mi arcu eget tortor eu praesent curabitur porttitor ultrices sit sit amet purus urna enim eget. Habitant massa lectus tristique dictum lacus in bibendum. Velit ut viverra feugiat dui eu nisl sit massa viverra sed vitae nec sed. Nunc ornare consequat massa sagittis pellentesque tincidunt vel lacus integer risu.

  1. Vitae et erat tincidunt sed orci eget egestas facilisis amet ornare
  2. Sollicitudin integer  velit aliquet viverra urna orci semper velit dolor sit amet
  3. Vitae quis ut  luctus lobortis urna adipiscing bibendum
  4. Vitae quis ut  luctus lobortis urna adipiscing bibendum

Multilingual NLP will grow

Mauris posuere arcu lectus congue. Sed eget semper mollis felis ante. Congue risus vulputate nunc porttitor dignissim cursus viverra quis. Condimentum nisl ut sed diam lacus sed. Cursus hac massa amet cursus diam. Consequat sodales non nulla ac id bibendum eu justo condimentum. Arcu elementum non suscipit amet vitae. Consectetur penatibus diam enim eget arcu et ut a congue arcu.

Vitae quis ut  luctus lobortis urna adipiscing bibendum

Combining supervised and unsupervised machine learning methods

Vitae vitae sollicitudin diam sed. Aliquam tellus libero a velit quam ut suscipit. Vitae adipiscing amet faucibus nec in ut. Tortor nulla aliquam commodo sit ultricies a nunc ultrices consectetur. Nibh magna arcu blandit quisque. In lorem sit turpis interdum facilisi.

  • Dolor duis lorem enim eu turpis potenti nulla  laoreet volutpat semper sed.
  • Lorem a eget blandit ac neque amet amet non dapibus pulvinar.
  • Pellentesque non integer ac id imperdiet blandit sit bibendum.
  • Sit leo lorem elementum vitae faucibus quam feugiat hendrerit lectus.
Automating customer service: Tagging tickets and new era of chatbots

Vitae vitae sollicitudin diam sed. Aliquam tellus libero a velit quam ut suscipit. Vitae adipiscing amet faucibus nec in ut. Tortor nulla aliquam commodo sit ultricies a nunc ultrices consectetur. Nibh magna arcu blandit quisque. In lorem sit turpis interdum facilisi.

“Nisi consectetur velit bibendum a convallis arcu morbi lectus aecenas ultrices massa vel ut ultricies lectus elit arcu non id mattis libero amet mattis congue ipsum nibh odio in lacinia non”
Detecting fake news and cyber-bullying

Nunc ut facilisi volutpat neque est diam id sem erat aliquam elementum dolor tortor commodo et massa dictumst egestas tempor duis eget odio eu egestas nec amet suscipit posuere fames ded tortor ac ut fermentum odio ut amet urna posuere ligula volutpat cursus enim libero libero pretium faucibus nunc arcu mauris sed scelerisque cursus felis arcu sed aenean pharetra vitae suspendisse ac.

Technical breakdown of the Akira Kill Chain.

1.     Initial access

Akira affiliates use multiple entry points:

  • Exploiting VPN devices and public‑facing services. Akira actors gaining access via virtual‑private‑network services that lacked multi‑factor authentication, often abusing known Cisco VPN vulnerabilities (CVE‑2020‑3259 and CVE‑2023‑20269).  They also exploit other externally facing services such as RDP and conduct spear‑phishing.  

2.     Post‑exploitation and lateral movement

Once inside, Akira operators conduct reconnaissance and move laterally:

  • Persistence via new domain accounts. Investigations show Akira operators create new domain accounts (e.g., itadm) to maintain persistence.
  • Discovery and credential harvesting. The actors enumerate Active Directory using tools and commands such as Get‑ADUser, Get‑ADComputer, AdFind, SoftPerfect Network Scanner, PCHunter, Advanced IP Scanner,SharpHound, MASScan and reconftw. They extract credentials by dumping LSASS memory and using Mimikatz and LaZagne.
  • Lateral movement. Valid accounts and RDP are used to spread across the network.  Tools like PsExec facilitate remote command execution, while the actors abuse scheduled tasks and new accounts for persistence.

3.     Command‑and‑control and defense evasion

Akira affiliates rely on commodity tools for command‑and‑control and stealth:

  • Remote access software. Here is a list of tools used to maintain footholds and move data, including AnyDesk, MobaXterm, Ngrok, Cloudflare Tunnel, Radmin, NetCat and RustDesk. SystemBC is another tool observed for C2.
  • Disabling security products.  Akira actors have been seen using tools like PowerTool to exploit a driver vulnerability (BYOVD) and terminate anti‑virus processes. They modify registry values (e.g., DisableRestrictedAdmin and user‑list keys) to hide new accounts and reduce logging.

4.     Data exfiltration and impact

Before running the encryptor, the attackers exfiltrate sensitive data:

  • Collection and archiving. Akira operators gather files, archive them using WinRAR, 7‑Zip or built‑in scripts, and transfer the archives off‑site.  Tools such as FileZilla, WinSCP and Rclone are used to move data via FTP/SFTP or cloud‑storage services.
  • Double extortion. After exfiltration, the group encrypts the victim’s environment and posts proof of the breach on their leak site. They do not provide a ransom demand in the initial note; instead, victims receive a unique code and must log in to the actors’ chat portal on Tor to negotiate.

5.     Encryption process

The encryptor uses a hybrid scheme and offers granular control:

  • Hybrid encryption. Akira’s Windows encryptor combines the ChaCha20 stream cipher with an RSA public‑key system, enabling fast encryption and secure key exchange. Encrypted files are appended with akira or powerranges extensions and a ransom note (fn.txt) is left in each directory.
  • Command‑line arguments. Sample analysis reveals that Akira’s binary accepts parameters such as --encryption_path (-p), --share_file (-s), --encryption_percent (-n), -localonly, --exclude (-e) and -l for logging. These options allow affiliates to define which directories or network shares are encrypted, the percentage of each file to encrypt and whether to skip network drives.
  • Preparation steps. Prior to encryption, the malware enumerates running processes using the Windows Restart Manager API to safely close files. It deletes Volume Shadow Copies by running powershell.exe -Command “Get‑WmiObject Win32_Shadowcopy | Remove‑WmiObject” and may remove Veeam backups and other recovery mechanisms.
  • ESXi variant. Akira has developed an ESXi encryptor (Akira_v2) for VMware hosts, in addition to the Windows‐specific “Megazord” variant.

6.     Ransom demand and negotiation

Akira follows a professionalized negotiation model:

  • Victims are instructed to contact the attackers via a Tor‑based chat portal using a code in the ransom note.  The actors typically demand payment in Bitcoin and threaten to publish data if negotiations fail. In some cases, they phone victims to increase pressure.

Defensive considerations

To defend against Akira, Organizations need to remediate known exploited vulnerabilities, enable multifactor authentication on all remote services, patch software promptly and conduct regular vulnerability assessments. Additional mitigations include monitoring for unauthorized user creation, disabling unused VPN services, segmenting networks and educating employees on spear‑phishing and credential‑theft tactics.

*CISA, Qualys, AiiR Internal Teams

Subscribe to our weekly newsletter


Thanks for joining our newsletter.
Oops! Something went wrong while submitting the form.

Latest articles

Browse all articles