Akira Ransomware Forensic Analysis

Executive Summary

Akira is a ransomware-as-a-service (RaaS) operation that emerged in March 2023 which targeted various corporations and critical infrastructure entities. RaaS operations can lead to financial losses, data breaches, infrastructure disruptions, reputational damage, higher cybersecurity costs and global cybercrime growth. To protect against RaaS operations, businesses should implement a strong security policy, maintain offsite backups and engage in proactive threat monitoring. Companies also need to ensure that they don’t give in to threats and pressure unnecessarily, but also take appropriate bargaining actions when needed. It’s important for corporations to take steps to make sure their employees are prepared for ransomware attempts to avoid future mistakes. 

Background

Akira ransomware-as-a-Service (RaaS) operation [1]. RaaS is a cybercrime model where ransomware developers sell or lease their malware to affiliates, enabling even less skilled criminals to launch ransomware attacks for financial gain. In Akira’s case, its deployment was associated with former Conti ransomware actors [5]. Using the RaaS model, they were able to deploy the ransomware in exchange for a share of the profits with Conti’s original developers. Once the ransomware is deployed onto the victim’s computer, it will encrypt their files or lock them out of their system and demand a ransom payment in exchange for access. Ransomware attackers typically gain access through phishing emails, malicious links, or by exploiting unpatched software vulnerabilities.

The ransomware was deployed to a wide range of businesses and critical infrastructure entities in North America, Europe and Australia. It was initially distributed to Windows systems, but a Linux variant was also deployed to target VMware ESXi virtual machines in April [4]. The Akira RaaS group was able to leverage the malware through several methods, such as exploiting compromised credentials to push it onto systems as well as taking advantage of insecure VPN connections where multi-factor authentication wasn’t used. The group performed double extortion tactics to steal their sensitive data before encrypting devices and files. The attackers provided victims the choice of paying for either file decryption or data deletion, with ransom demands ranging from 200,000 to over 4 million USD. 

Impact

The Akira ransomware was very successful, with over 250 organizations having been impacted by the malware. The hacker group was able to steal approximately $42 million USD [4]. Most of its victims were small businesses ranging from 1 to 200 employees and the most targeted sectors were the academe and professional services, followed closely by construction and materials. Akira would encrypt targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA to make it especially difficult for end users to try and recover their encrypted data. It would also use a feature within its binary to inhibit system recovery by deleting shadow copies from the infected system.

Mitigation

The Health Sector Cybersecurity Coordination Center recommends a variety of mitigation strategies. One of the most effective mitigation strategies which could have been used for the Akira malware would be to enable multi-factor authentication, namely for VPNs [6]. It was observed that the ransomware targeted vulnerable Cisco VPNs with a zero-day vulnerability which did not have MFA configured. Those victims may have avoided being compromised had they configured the control. Another great strategy they recommend is implementing a strong password policy. The malware was pushed out to systems with compromised credentials. Utilizing CISA recommended length and complexity standards, along with periodically updating passwords, the compromise may have been avoided.

Relevance

This ransomware continues to be a threat. For example, in 2024 Akira was responsible for 315 successful attacks, making it the fourth most active ransomware used that year [2]. In January 2025, the campaign accounted for numerous globally reported ransomware incidents [3]. The group has also improved its malware to perform additional tasks, such as supplying user data onto a dark web leak site to add additional pressure onto their demands. The group has demonstrated an ability to quickly exploit newly discovered vulnerabilities. Corporations should perform necessary precautions because the ransomware likely won’t be going away anytime soon. 

References

[1] Chaudhary, A. (2025, Jan 18). Today’s Business: How to combat the growing threat of ransomware. New Haven Register. https://www.nhregister.com/opinion/article/ransomware-todays-business-arvin-chaudhary-20035891.php

[2] Adi Bleih (2025, January 13). Ransomware Annual Report 2024. CyberInt. https://cyberint.com/blog/research/ransomware-annual-report-2024/

[3] CyberPress. (2025, February 11). Akira Ransomware Tops the Charts. CyberPress. https://cyberpress.org/akira-ransomware-tops-the-charts/

[4] Cybersecurity and Infrastructure Security Agency (CISA). (2024, April 18). #StopRansomware: Akira Ransomware. CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[5] Trend Micro. (2023, August 9). Ransomware Spotlight: Akira. Trend Micro. https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira

[6] U.S. Department of Health and Human Services. (2023, September 12). Akira Ransomware Sector Alert (TLP: CLEAR). HHS.gov. https://www.hhs.gov/sites/default/files/akira-ransomware-sector-alert-tlpclear.pdf