The Akira Ransomware Playbook: Everything You Need to Know

Table of contents
Ransoms don’t just happen in the movies. Akira is a hacking group that locks up vital files and demands an eye-watering ransom payment for their release. And, in 2025, it will be more prolific than ever.
The good news is that the more we know about Akira ransomware, the better prepared we can be. So, without further ado, let’s unpack who the Akira hacking group is, how they operate—and what we can all do about it.
1. What is Akira?
Akira is a ransomware-as-a-service (RaaS) gang that emerged in March 2023.
Anyone can use Akira’s malware to steal and encrypt sensitive data, such as by phishing, only returning it after receiving a ransom payment, with sums ranging from $200,000 to millions.
Akira is one of the top Raas gangs, ranking alongside players such as LockBit and RansomHub.
A recent blockchain analysis suggests that Akira originated from the Russian-backed Conti ransomware group, which dissolved in 2022. Akira stands out for its retro style (see screenshot below) and potential allusion to a 1988 anime movie.

Akira’s Tor-based site is styled upon 1980’s “green screen” consoles, and it’s controlled by typing certain commands. The site has 5 different command options.
leaks
– The data of hacked companies who haven’t paid the ransomnews
– The names of new victims, or “upcoming data”contact
– Details on how to get in touch with the grouphelp
– Support informationclear
– The option to clear the screen
According to Security Week, Akira attacks tend to focus on the business sector, but it’s also been active in construction, critical infrastructure, education, manufacturing, retail, and technology.
In April 2024, CISA, the FBI, the European Cybercrime Centre and the Netherlands’ National Cybersecurity Centre released a guide entitled #StopRansomware: Akira Ransomware, including indicators of compromise (IOCs) to show when a system has been breached.

2. Akira ransomware in numbers
The Akira hacker group has been making waves since its debut in 2023, and it’s showing no signs of stopping this year.
Here are 6 insights into the Akira cyber attack world.
- France is a major target: A study last year found that France accounted for 53.1% of detected Akira attacks. North America is also a popular target.
- Akira leaks claim 6-30+ victims per month: As it becomes more established, Akira is increasing its operations, reaching an all-time high with 73 victims in November 2024 alone.
- It’s a big player in the ransomware market: Some sources suggest that Akira was responsible for 21% of ransomware attacks in Q1 2024.
- Akira malware only takes around 2 hours to steal data: It’s been found that the Akira gang can run “lightning-fast data exfiltration” from Veeam servers.
- It’s already claimed tens of millions: Akira generated $42 million in ransomware payments between March 2023 and April 2024 alone—and the number is likely to be much higher now.
- It’s the biggest ransomware threat in the US: In Q3 2024, Akira was the most-detected ransomware variant in the US by market share.

3. The Akira ransomware timeline
Here’s a rundown of the Akira group’s activity.
- 2017: Another ransomware variant with the same name was active, using the same encrypted file extensions. However, the groups are believed to be completely different.
- March 2023: The current Akira ransomware group emerged, and was believed to have affiliations with the dissolved Conti gang.
- June 2023: After focusing on Windows for a few months, Akira deployed a variant to target Linux servers, too. Meanwhile, a cybersecurity firm offered a free decryptor to help people recover their files, without paying any ransom.
- August 2023: Cisco discovered that Akira threat actors had been targeting VPNs that were not configured with multi-factor authentication (MFA).
- September 2023: US health services released a security bulletin advising on how to combat the growing danger of Akira leaks.
- April 2024: CISA and other governing bodies release an advisory to combat Akira.
- November 2024: Akira attacks hit 73 victims in a single month.

Encrypted files with the .akira extension added to the file name.
4. How an Akira ransomware attack works
Here are the technical stages of an Akira ransomware attack, according to CISA.
- Initial access: Akira exploits vulnerabilities in VPNs without multifactor authentication (e.g., Cisco CVE-2020-3259 and CVE-2023-20269). Other methods include spear phishing emails, abusing Remote Desktop Protocol (RDP), or using stolen credentials. Akira also uses tools like Anydesk to gain remote access.
- Persistence and discovery: Akira maintains access and enables privilege escalation with fake domain accounts or administrative accounts called
itadm
. It also steals credentials from the Local Security Authority Subsystem Service (LSASS), or with tools like Mimikatz and LaZagne, and identifies network devices with tools like Advanced IP Scanner. - Defense evasion: To avoid detection, Akira deploys multiple ransomware variants, such as “Megazord” and “Akira_v2.” It also disables security processes with services such as PowerTool, to allow lateral movement.
- Exfiltration and impact: Akira uses tools and algorithms like FileZilla, RClone, WinSCP, or WinRAR to move stolen data to external servers or cloud storage.
- Data encryption: Akira uses a hybrid encryption strategy to secure data, with its latest version specifically targeting virtual machines. It also deletes volume shadow copies to block system recovery efforts, with its encryptor (
w.exe
) using PowerShell commands.
You can view the full list of MITRE ATT&CK tactics on CISA’s security bulletin.

The traits of an Akira attack
Here are some of the tactics, techniques, and procedures (TTPs) of an Akira attack in recent months.
- Utilising a double extortion model: Not only does Akira encrypt data, but it also steals it, too, magnifying its impact.
- Masking the ransom payment: Akira does not share the ransom demand or payment details until the victim contacts them. The initial ransom note is named
fn.txt
. - Requiring Bitcoin payments: The threat actors demand that victims pay in Bitcoin to their cryptocurrency wallet addresses.
- Applying pressure: If the payment isn’t received, Akira threatens to publish stolen data on their leak site. Threat actors have also been known to call their victims.
- Lowering ransoms: Akira has been known to lower ransom demands when companies do not need a decryptor, or who simply want to avoid their data being posted on the leak site.
- Deleting backups: Finland’s National Cybersecurity Center (NCSC-FI) has warned that Akira is wiping backups to hinder system recovery efforts.
5. Case studies: Akira ransomware victims
Akira ransomware can pose a threat to any organization across the world. Let’s look at some real-life stories of Akira in action, when digital vigilance failed.
When Stanford University was targeted…
In October 2023, the Akira ransomware gang claimed that it had stolen 430 GB of data from Stanford University. A spokesperson for the university stated that it was investigating the claims.
The cybersecurity incident took place in the Department of Public Safety, but university staff did not believe the breach had affected any other part of the organization.
When 35+ victims were leaked in one day…
In November 2024, Akira published the details of 35+ victims on its leak site in a single day.
Cybercrime experts described this as an aggressive move, possibly due to new affiliates joining the network at the same time, or threat actors choosing to hold back previous leaks.
Others simply suggested, “It could depend on how they [the Akira administrators] woke up this morning.”
When a cloud provider went down…
In January 2024, cloud hosting provider Tietoevry suffered an Akira ransomware attack at one of its data centers in Sweden.
It affected several major Swedish providers, including Primula, a payroll and HR company, a cinema chain called Filmstaden, and a chain of grocery stores that had to remain closed for a day.
When Nissan ground to a halt…
In Australia, a branch of Nissan suffered a ransomware attack from Akira in January 2023.
The Akira ransomware group claimed that it had extracted project information, non-disclosure agreements, and client and partner data.
6. Defending against the Akira ransomware group
The Akira virus is spreading, but there are plenty of remedies to hold it at bay. Here’s how to safeguard your cybersecurity posture.
Following the 3-2-1 rule
In the US healthcare security advisory against Akira, it’s recommended that organizations have:
- 3x copies of important files
- 2x media types to store these files
- 1x offline/ offsite copy of these files
These backups can block Akira from deleting all important data, facilitate data protection, and aid in system recovery and mitigation.
Not paying up
Singapore authorities, as well as the FBI, CISA, and other organizations have advised that victims should not pay the ransom if they suffer an Akira attack. Instead, the attack should be reported to law enforcement immediately.
A spokesperson said, “Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data.
“Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims.”
Fixing vulnerabilities
Invest in an external attack surface management (EASM) tool, such as CybelAngel, to identify any weaknesses in your digital footprint. This allows you to quickly fix any problems before Akira threat actors can take advantage of them.
You can also use its threat intelligence features to monitor conversations on the dark web and stay one step ahead of cybercriminals.
CISA also recommends using endpoint detection and response (EDR) tools to spot any unusual activity on your network.
Enabling multi-factor authentication (MFA)
MFA adds an extra layer of security by requiring a second form of verification, such as a code from an authenticator app, a fingerprint scan, or a hardware token, in addition to your password.
By implementing MFA, even if someone steals your password, they won’t be able to access your account without the additional verification step.
Implementing time-based accounts
When giving access privileges to your employees and providers, you can follow working models such as:
- Just-in-Time (JIT): Only give access to systems when needed, supporting the principle of ‘least privilege’.
- Zero Trust model: Automatically disable admin accounts at the Active Directory level, once they no longer require them.
This minimizes the risk of employees’ accounts being exploited by threat actors.
Disabling permissions (where possible)
CISA suggests disabling command-line and scripting activities and permissions. This blocks threat actors from using company software and tools to take over an organization.
It also recommends disabling hyperlinks in all received emails, so that no one inadvertently clicks on a malicious link.
Setting up an incident response plan
Have a plan in place for if your organization is breached by Akira. Identify key team members and roles, and create a step-by-step process for detecting, containing, and mitigating incidents.
Regularly test and update the plan to address new threats, ensuring your team is prepared to minimize damage and recover swiftly.
Over to you
The Akira ransomware group remains a threat in 2025, but with the right strategies (such as MFA) and tools (such as CybelAngel) in place, you can protect your organization and stop them in their tracks.
Remember to regularly update your software and invest in cybersecurity, and organizations like Akira will find it much harder to survive in the future.