1. Overview
Akira is a financially motivated ransomware group that first emerged in early 2023. The group rapidly gained attention for its aggressive double extortion model, modern ransomware tooling, and ability to target both Windows and Linux environments. Akira is believed to operate a closed Ransomware-as-a-Service (RaaS) model, wherein trusted affiliates execute attacks while the core team provides infrastructure, encryption payloads, and negotiation services.
Known for targeting medium to large enterprises, Akira has launched successful campaigns against organisations across Europe, North America, and Asia, with the UK legal, engineering, education, and finance sectors frequently appearing among its victims.
2. Origin and Evolution
Akira was first detected in the wild in March 2023. Initially written in C++, the ransomware shared architectural similarities with historic ransomware families such as Conti and Ryuk, although direct attribution has not been confirmed. By mid-2023, a Linux/ESXi variant appeared, designed to target virtualised infrastructure and reflecting a broader trend among advanced ransomware actors.
The group named itself after the iconic Japanese cyberpunk film Akira, although this appears to be purely branding rather than ideological alignment. Their leak site is visually minimal but functionally effective, listing victims, countdowns, and sample data dumps to coerce payment.
3. Tactics, Techniques, and Procedures (TTPs)
Akira follows a structured and methodical approach, combining social engineering, exploitation, and internal reconnaissance to maximise impact:
- Initial Access:
Via vulnerable VPN appliances lacking MFA (T1078), spear-phishing emails with malicious attachments or links (T1566.001), and exploitation of known vulnerabilities in public-facing services (T1190). - Lateral Movement:
Use of Cobalt Strike, Mimikatz, BloodHound, and RDP for privilege escalation and lateral traversal (T1021, T1055). - Data Exfiltration:
Use of Rclone, WinSCP, and custom scripts to exfiltrate data to attacker-controlled infrastructure (T1041). - Encryption:
Strong hybrid encryption (AES + RSA) applied with a focus on disrupting critical systems. Unique encryption keys are used per victim to prevent universal decryption. - Persistence & Evasion:
Modification of registry keys, deletion of shadow copies (T1490), and evasion of endpoint controls using LOLBins and signed binaries.
4. Targeting Profile
Akira primarily targets mid-sized to large enterprises, typically with annual revenues between £5M and £500M, and focuses on sectors that hold sensitive or regulatory-critical data. Victims have included:
- Legal firms handling litigation or M&A
- Engineering and architectural firms
- Secondary and higher education institutions
- Financial services organisations
- Municipal governments and utility providers
The UK has been a recurring target geography, likely due to the maturity of its digital infrastructure and the high value of regulatory penalties under GDPR.
5. Notable Campaigns and Victims
Akira’s leak site has featured dozens of victims from Europe, the UK, and the United States, although many cases have remained unreported in the media. High-profile breaches include:
- A North American architectural firm with 1.2 TB of data exfiltrated
- A UK-based legal consultancy handling international arbitration cases
- A European managed service provider with widespread client compromise
Victims typically face ransom demands in the range of $200,000 to several million USD, scaled according to company size and sensitivity of stolen data.
6. Ransomware and Leak Site Behaviour
Akira maintains an active dark web leak portal, which lists breached organisations alongside timers, sample files, and links to additional data dumps. Their extortion strategy includes:
- Exfiltration of sensitive files, including HR data, legal agreements, and email inboxes
- Encryption of critical systems and backups
- Direct contact via TOR-based negotiation portals
- Threats of full public disclosure if the victim refuses to engage or negotiate
The group maintains a conciliatory but firm tone during negotiations and often references regulatory fines or reputational damage to apply pressure.
7. Technical Indicators
Common Akira-related indicators include:
.akirafile extensions on encrypted files- Use of
rclone.exefor cloud exfiltration - Execution of
vssadmin delete shadows /all /quietto destroy recovery points - Registry modification for UAC bypass and persistence
- Encrypted communication with C2 infrastructure hosted across Russia, Germany, and Singapore
Custom YARA rules, Sigma detections, and IOC feeds are available to clients of UK Cyber Defence Ltd.
8. Defensive Measures and Recommendations
Organisations should adopt the following measures to reduce exposure to Akira ransomware:
- Enforce MFA on all VPNs, RDP, and cloud access portals
- Patch known vulnerabilities in Fortinet, SonicWall, Citrix, and VMware appliances
- Monitor and alert on PowerShell, WMIC, and rclone usage
- Regularly audit admin privilege use and domain controller configurations
- Maintain offline, immutable backups, tested quarterly
- Train staff on identifying targeted phishing attempts
9. Attribution and Alliances
Akira has not been formally linked to any nation-state activity, and current assessments indicate it is financially motivated. However, overlaps in tooling and infrastructure suggest that former Conti or Ryuk affiliates may be involved in its operation or affiliate programme.
The group maintains tight operational security, rotating infrastructure frequently and avoiding targeting within former Soviet states.
10. Conclusion
Akira is a rapidly growing threat actor whose cross-platform capabilities, data-centric extortion model, and operational discipline place it among the most dangerous ransomware groups currently active. Its focus on medium to high-value targets, particularly in the UK legal, financial, and education sectors, necessitates a proactive and layered cyber defence approach.
Tags:
Ransomware, Akira, Threat Actors, Double Extortion, Cyber Threat Intelligence, MITRE ATT&CK
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
