AKIRA
AKIRA is a sophisticated ransomware group that primarily targets organizations relying heavily on network security and virtualization technologies such as Cisco ASA & FTD, Veeam Backup & Replication, Fortinet products, VMware ESXi, SonicWall, and others. Their initial access often leverages publicly exposed vulnerabilities in these systems, particularly those with high CVSS scores like CVE-2021-21972 and CVE-2024-40766, which they exploit through external remote services or web application flaws. AKIRA employs a double extortion strategy, exfiltrating sensitive data before encrypting it to maximize their leverage over victims. This group is distinctive due to its high reliance on critical vulnerabilities and advanced techniques such as credential access and lateral movement within networks.
Technically, AKIRA focuses heavily on exploiting remote code execution (RCE) vulnerabilities in network devices and software applications, often through web-based interfaces that are publicly accessible. The absence of custom malware or tools like CrackMapExec suggests a preference for leveraging native system utilities and open-source frameworks to achieve their goals, indicating a high level of operational security and technical proficiency. Defenders should prioritize patch management, especially for critical vulnerabilities in network infrastructure and backup systems, alongside implementing robust monitoring and detection capabilities for unusual data exfiltration activities.
CISA Intelligence #StopRansomware
#StopRansomware: Akira Ransomware · 2025-11-13
The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), and Department of Health and Human Services (HHS); Europol’s European Cybercrime Centre (EC3); France’s Office Anti-Cybercriminalite (OFAC) – French Cybercrime Central Office; Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg; and the Netherlands’s National Cyber Security Centre (NCSC-NL)—hereafter referred to as the “authoring organizations”—are releasing this joint advisory to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third-party reporting as recently as November 2025.
Akira ransomware threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have connections to the defunct Conti ransomware group. Akira threat actors primarily target small- and medium-sized businesses, but have also impacted larger organizations across various sectors. They have a notable preference for educational institutions and organizations in the Critical Manufacturing, Information Technology, Healthcare and Public Health, Financial Services, and Food and Agriculture sectors.
Since March 2023, Akira ransomware threat actors have impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs).
Confirmed CVEs (9)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (91) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.