AKIRA

RANSOMWARE

AKIRA is a sophisticated ransomware group that primarily targets organizations relying heavily on network security and virtualization technologies such as Cisco ASA & FTD, Veeam Backup & Replication, Fortinet products, VMware ESXi, SonicWall, and others. Their initial access often leverages publicly exposed vulnerabilities in these systems, particularly those with high CVSS scores like CVE-2021-21972 and CVE-2024-40766, which they exploit through external remote services or web application flaws. AKIRA employs a double extortion strategy, exfiltrating sensitive data before encrypting it to maximize their leverage over victims. This group is distinctive due to its high reliance on critical vulnerabilities and advanced techniques such as credential access and lateral movement within networks.

Technically, AKIRA focuses heavily on exploiting remote code execution (RCE) vulnerabilities in network devices and software applications, often through web-based interfaces that are publicly accessible. The absence of custom malware or tools like CrackMapExec suggests a preference for leveraging native system utilities and open-source frameworks to achieve their goals, indicating a high level of operational security and technical proficiency. Defenders should prioritize patch management, especially for critical vulnerabilities in network infrastructure and backup systems, alongside implementing robust monitoring and detection capabilities for unusual data exfiltration activities.

CISA Intelligence #StopRansomware

#StopRansomware: Akira Ransomware · 2025-11-13

The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), and Department of Health and Human Services (HHS); Europol’s European Cybercrime Centre (EC3); France’s Office Anti-Cybercriminalite (OFAC) – French Cybercrime Central Office; Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg; and the Netherlands’s National Cyber Security Centre (NCSC-NL)—hereafter referred to as the “authoring organizations”—are releasing this joint advisory to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third-party reporting as recently as November 2025.

Akira ransomware threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have connections to the defunct Conti ransomware group. Akira threat actors primarily target small- and medium-sized businesses, but have also impacted larger organizations across various sectors. They have a notable preference for educational institutions and organizations in the Critical Manufacturing, Information Technology, Healthcare and Public Health, Financial Services, and Food and Agriculture sectors.

Since March 2023, Akira ransomware threat actors have impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs).

Confirmed CVEs (9)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2021-21972 CRITICAL VMware vCenter Server 9.8 CVE-2023-48788 CRITICAL Fortinet FortiClientEMS 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery 9.8 CVE-2022-40684 CRITICAL Fortinet FortiOS, FortiProxy, FortiSwitchManager 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS 9.8 CVE-2023-20269 CRITICAL Cisco Adaptive Security Appliance (ASA) Software 9.1 CVE-2020-3259 HIGH Cisco Adaptive Security Appliance (ASA) Software 7.5 CVE-2023-27532 HIGH Veeam Backup & Replication 7.5 CVE-2024-37085 HIGH VMware ESXi 7.2

Predicted CVEs (91) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2025-20281 CRITICAL Cisco Identity Services Engine Software predicted 10.0 CVE-2024-3400 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2022-22947 CRITICAL VMware Spring Cloud Gateway predicted 10.0 CVE-2025-20337 CRITICAL Cisco Identity Services Engine Software predicted 10.0 CVE-2026-20127 CRITICAL Cisco Catalyst SD-WAN Manager predicted 10.0 CVE-2026-20131 CRITICAL Cisco Secure Firewall Management Center (FMC) predicted 10.0 CVE-2023-20198 CRITICAL Cisco IOS XE Software predicted 10.0 CVE-2026-20182 CRITICAL Cisco Catalyst SD-WAN Manager predicted 10.0 CVE-2026-20131 CRITICAL Cisco Secure Firewall Management Center (FMC) predicted 10.0 CVE-2020-2021 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2025-20337 CRITICAL Cisco Identity Services Engine Software low 10.0 CVE-2025-20393 CRITICAL Cisco Secure Email predicted 10.0 CVE-2025-20333 CRITICAL Cisco Secure Firewall Adaptive Security Appliance (ASA) Software predicted 9.9 CVE-2020-3992 CRITICAL VMware ESXi predicted 9.8 CVE-2020-3161 CRITICAL Cisco IP phone predicted 9.8 CVE-2022-26501 CRITICAL Veeam Backup & Replication predicted 9.8 CVE-2022-22954 CRITICAL VMware Workspace ONE Access and Identity Manager predicted 9.8 CVE-2022-22965 CRITICAL VMware Spring Framework predicted 9.8 CVE-2022-20700 CRITICAL Cisco Small Business RV Series Router Firmware predicted 9.8 CVE-2022-20699 CRITICAL Cisco Small Business RV Series Router Firmware predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center low 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ low 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW low 9.8 CVE-2024-36401 CRITICAL geoserver low 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery low 9.8 CVE-2024-4577 CRITICAL PHP Group PHP low 9.8 CVE-2024-50603 CRITICAL Aviatrix Controller low 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure low 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) low 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow low 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 low 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ predicted 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure predicted 9.8 CVE-2020-3992 CRITICAL VMware ESXi predicted 9.8 CVE-2020-12812 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2022-42475 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2022-22954 CRITICAL VMware Workspace ONE Access and Identity Manager predicted 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) predicted 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery predicted 9.8 CVE-2020-3952 CRITICAL VMware vCenter Server predicted 9.8 CVE-2021-22005 CRITICAL VMware vCenter Server predicted 9.8 CVE-2021-21985 CRITICAL VMware vCenter Server predicted 9.8 CVE-2021-21985 CRITICAL VMware vCenter Server predicted 9.8 CVE-2021-22005 CRITICAL VMware vCenter Server predicted 9.8 CVE-2021-21972 CRITICAL VMware vCenter Server predicted 9.8 CVE-2023-20887 CRITICAL VMware Aria Operations for Networks predicted 9.8 CVE-2024-38813 CRITICAL VMware vCenter Server predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2021-1497 CRITICAL Cisco HyperFlex HX Data Platform predicted 9.8 CVE-2021-1498 CRITICAL Cisco HyperFlex HX Data Platform predicted 9.8 CVE-2025-32756 CRITICAL Fortinet FortiNDR predicted 9.8 CVE-2025-64446 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-25257 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-59718 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2026-24858 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2024-38812 CRITICAL VMware vCenter Server predicted 9.8 CVE-2024-47575 CRITICAL Fortinet FortiManager predicted 9.8 CVE-2024-23113 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2024-20439 CRITICAL Cisco Smart License Utility predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS low 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW predicted 9.8 CVE-2022-26501 CRITICAL Veeam Backup & Replication predicted 9.8 CVE-2023-48788 CRITICAL Fortinet FortiClientEMS predicted 9.8 CVE-2024-53704 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22515 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22518 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2024-4577 CRITICAL PHP Group PHP predicted 9.8 CVE-2022-40684 CRITICAL Fortinet FortiOS, FortiProxy, FortiSwitchManager predicted 9.8 CVE-2026-21643 CRITICAL Fortinet FortiClientEMS predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS high 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow predicted 9.8 CVE-2020-4006 CRITICAL VMware Multiple Products predicted 9.1 CVE-2026-35616 CRITICAL Fortinet FortiClientEMS predicted 9.1 CVE-2023-20269 CRITICAL Cisco Adaptive Security Appliance (ASA) Software predicted 9.1 CVE-2025-0282 CRITICAL Ivanti Connect Secure predicted 9.0 CVE-2022-26500 HIGH Veeam Backup & Replication predicted 8.8 CVE-2022-26500 HIGH Veeam Backup & Replication predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-4428 HIGH Ivanti Endpoint Manager Mobile low 8.8 CVE-2022-20703 HIGH Cisco Small Business RV Series Router Firmware predicted 8.0 CVE-2022-20708 HIGH Cisco Small Business RV Series Router Firmware predicted 8.0 CVE-2021-21975 HIGH VMware vRealize Operations Manager API predicted 7.5 CVE-2023-27532 HIGH Veeam Backup & Replication predicted 7.5 CVE-2025-5777 HIGH NetScaler ADC low 7.5 CVE-2025-4427 HIGH Ivanti Endpoint Manager Mobile low 7.5 CVE-2020-3259 HIGH Cisco Adaptive Security Appliance (ASA) Software high 7.5 CVE-2021-21975 HIGH VMware vRealize Operations Manager API predicted 7.5

ATT&CK Techniques (26)

T1078 Valid Accounts Initial Access T1133 External Remote Services Initial Access T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1059 Command and Scripting Interpreter Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1059.002 System Services: Service Execution Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution T1136.001 Create Account: Local Account Persistence T1136.002 Create Account: Domain Account Persistence T1078.002 Valid Accounts: Domain Accounts Privilege Escalation TA0004 Privilege Escalation Privilege Escalation T1112 Modify Registry Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools Defense Evasion T1003.001 OS Credential Dumping: LSASS Memory Credential Access T1018 Remote System Discovery Discovery T1082 System Information Discovery Discovery TA0007 Discovery Discovery T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement T1570 Lateral Tool Transfer Lateral Movement T1560.001 Archive Collected Data: Archive via Utility Collection T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration T1229 Remote Access Software Command and Control T1486 Data Encrypted for Impact Impact T1490 Inhibit System Recovery Impact