The Akira ransomware group has streamlined attacks to move from initial access to data encryption in under four hours, and in some cases in as little as one hour, according to Halcyon. Since emerging in 2023, the group has compromised hundreds of organizations and is estimated to have collected at least $245 million in ransom payments through September 2025. Researchers said Akira gains entry through zero-day exploits, access bought from initial access brokers, VPNs lacking multifactor authentication, and attacks on Veeam Backup & Replication, Cisco VPN, and SonicWall systems. The operation also uses double extortion, stealing data before encryption and threatening leaks, while relying on intermittent encryption and dependable decryption to increase the likelihood that victims pay.
Separately, ESET identified a South American ransomware campaign that impersonates Akira while actually deploying a Babuk-based encryptor against Windows users. The malware appends the .akira extension to files and drops ransom notes that mimic Akira’s language and Tor negotiation links, raising the risk of false attribution. Researchers said the campaign reflects a broader pattern of threat actors reusing leaked Babuk code and borrowing the branding of established ransomware groups, underscoring the need for defenders to verify attribution through technical analysis rather than ransom-note branding alone.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
ESET Research identified a separate ransomware campaign targeting Windows users in South America that impersonates the Akira brand while actually using a Babuk-based encryptor. The malware appends the .akira extension and uses ransom notes and Tor URLs designed to mimic Akira, increasing the risk of misattribution.
Halcyon reported that Akira has streamlined its attack lifecycle to move from initial access to encryption in less than four hours, and in some cases as little as one hour. The report also described tactics including zero-days, initial access broker purchases, attacks on VPNs without MFA, and targeting of Veeam, Cisco VPN, and SonicWall systems.
At an unspecified date prior to April 2026, the FBI and CISA identified Akira as one of the world's top ransomware groups, noting its focus on small and medium-sized businesses across multiple sectors.
By September 2025, Akira had reportedly amassed at least $245 million in ransom payments, underscoring the scale of its operations and victim impact.
The Akira ransomware group began operating in 2023 and later went on to compromise hundreds of victims. Reporting cited former Conti members or affiliates as likely involved in the group.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecyberscoop.com
Open sourcecybersecuritynews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.