U.S. and European cyber authorities released an updated joint advisory detailing the latest tactics, techniques, and procedures (TTPs) used by the Akira ransomware group, which has rapidly become one of the most consequential ransomware threats targeting critical infrastructure and businesses worldwide. The advisory, supported by agencies including CISA, FBI, DoD Cyber Crime Center, HHS, Europol, and law enforcement from France, Germany, and the Netherlands, highlights Akira’s evolution, its double-extortion model, and its targeting of sectors such as manufacturing, education, IT, healthcare, financial, and agriculture. Akira actors exploit vulnerabilities in edge devices, backup servers, and VPN products—including SonicWall (CVE-2024-40766), Cisco, Windows, VMware ESXi, and Veeam—using techniques like credential theft, brute-force attacks, and initial access brokers. They employ remote management tools (AnyDesk, LogMeIn) for defense evasion, uninstall endpoint detection and response (EDR) systems, and leverage custom malware such as POORTRY for privilege escalation.
As of late September 2025, Akira has extorted over $244 million in ransom payments, primarily from small- and medium-sized businesses. The group is associated with other threat actors such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have links to the disbanded Conti group. The FBI ranks Akira among the top five ransomware variants it investigates, citing its significant financial and operational impact on victims. The advisory provides updated indicators of compromise (IOCs), detection methods, and a list of newly exploited vulnerabilities to help organizations defend against Akira’s ongoing campaigns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
On November 13, 2025, CISA, FBI, DC3, HHS, and international partners issued an updated advisory on Akira ransomware. The update added new indicators of compromise, detection guidance, and details on evolving tactics including edge-device exploitation, remote management tool abuse, and new malware variants.
By late September 2025, U.S. and European authorities assessed that Akira had collected roughly $244 million to $245 million in ransom payments, with more than 1,000 publicly known victims.
The updated advisory states Akira expanded in June 2025 to encrypt Nutanix AHV virtual machine disk files, adding Nutanix environments to its previously known VMware ESXi and Hyper-V targets.
In a weekly review published on 2024-02-01, Finland's Cyber Security Centre said 12 domestic organizations had reported Akira ransomware infections during the previous year, with most reports arriving late in 2023. The cases showed Akira exploiting Cisco vulnerability CVE-2023-20269 and weakly protected Cisco VPN solutions, alongside backup destruction attempts, data theft, and double extortion.
Government and industry reporting says Akira has been active since March 2023, operating as a ransomware-as-a-service group that has targeted small and medium-sized businesses and other sectors.
Authorities said Akira has attacked organizations since 2023, including victims in manufacturing, education, IT, healthcare, and critical infrastructure. The campaign expanded beyond isolated incidents into a broad, ongoing threat.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
securityboulevard.com
Open sourcesecurityonline.info
Open sourcesecurityboulevard.com
Open sourcecsoonline.com
Open sourcetherecord.media
Open sourcecyberscoop.com
Open sourcebleepingcomputer.com
Open sourcekyberturvallisuuskeskus.fi
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.