Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
5 mentions · 4 sources"ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure"
"ransomware activity was led by Akira, Qilin, and Safepay"
"Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts, but the method was not confirmed"
"Brazil named as top-tier concentration market; Moinho Globo Alimentos breached"
Hedge terms observed