Akira

Akira is a financially motivated ransomware group and Ransomware-as-a-Service (RaaS) operation active since March 2023. Known aliases in the provided content include Akira ransomware, Akira ransomware gang/group/actors, GOLD SAHARA, Howling Scorpius, Punk Spider, and Microsoft’s Storm-1567. The group has targeted organizations across multiple sectors, including education, finance, real estate, healthcare, manufacturing, and critical infrastructure, and has been reported as one of the most active ransomware brands through 2025 and into 2026. Akira uses double extortion, stealing data before encrypting systems, and has also shown a shift back toward encryption as a primary pressure mechanism. The group has used Windows and Linux/VMware ESXi encryptors; earlier versions were written in C++, while the Rust-based Megazord variant has also been used since August 2023 alongside Akira and Akira_v2. Reported encryption uses a hybrid ChaCha20 and RSA scheme, with full or partial encryption depending on file type and size. Initial access and intrusion activity described in the content includes abuse of VPNs without MFA, exposed remote services, valid credentials, spear phishing, and exploitation of public-facing vulnerabilities. Akira has been specifically linked to exploitation of SonicWall SSL VPN appliances via CVE-2024-40766 and to exploitation of Cisco ASA/FTD vulnerabilities CVE-2023-20263 and CVE-2020-3259; a joint advisory also cites CVE-2023-20269. The group has been described as regularly exploiting exposed VPNs and remote services using stolen or weak credentials, often sourced from infostealers or phishing. Post-compromise tradecraft in the provided content includes creation of domain accounts for persistence, credential theft via Kerberoasting and LSASS memory access, use of Mimikatz and LaZagne, reconnaissance with SoftPerfect, Advanced IP Scanner, and MASSCAN, use of net commands to identify domain controllers and trust relationships, lateral movement via RDP, and use of legitimate names and locations for files to evade defenses. Akira has also been associated with Cobalt Strike beacons, EDR-killing drivers, and abuse of the Zemana AntiMalware driver via PowerTool to terminate antivirus processes. For exfiltration and command-and-control, the content states Akira has used FileZilla, WinRAR, WinSCP, RClone, AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel. ATT&CK-style examples in the content also note Akira’s use of Rclone for exfiltration and Advanced IP Scanner and MASSCAN for remote host discovery. The group has been the subject of a joint advisory by the FBI, CISA, DC3, HHS, Europol, and NCSC-NL. That advisory states Akira compromised more than 250 organizations worldwide and received more than $42 million in ransom payments since early 2023. Other reporting in the content describes Akira as having compromised more than 300 organizations and remaining among the most active ransomware operators in 2025–2026, including high victim-post volumes on leak sites. Victim examples directly mentioned in the content include claims against Nissan Australia and Stanford University. The content also notes Akira activity against SonicWall devices and continued focus on SME targets through VPN abuse. Microsoft-linked reporting further states that malware-signing service Fox Tempest supported operations involving Akira, indicating Akira’s participation in the broader cybercriminal service ecosystem. One report in the content states that Akira may be a spinoff that emerged after Conti’s collapse.