Sophos reported that Akira has become a major threat to small and medium-sized organizations across Europe, North America, and Australia, hitting sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. The group commonly gained initial access through unauthorized logins to Cisco ASA SSL VPN and Cisco AnyConnect systems that lacked MFA, and in some cases exploited CVE-2023-20269 and Veeam CVE-2023-27532. Researchers said Akira operators routinely stole credentials, moved laterally, established persistence, and attempted to evade defenses before either encrypting systems or stealing data for extortion.
Sophos said Akira shifted notably toward extortion-only operations beginning in late 2023, exfiltrating data without always deploying ransomware. During intrusions, the actors dumped LSASS, extracted NTDS.dit and SYSTEM hives, targeted Veeam, browser, and KeePass credentials, and used tools including Mimikatz, AdFind, Advanced IP Scanner, RDP, SMB, wmiexec, PsExec, AnyDesk, WinRAR, rclone, and MEGA. The report also identified a previously unreported backdoor, crome.exe, communicating with 170.130.165[.]171, alongside repeated efforts to disable Sophos and Microsoft Defender protections. When encryption was used, Akira deployed binaries such as w.exe, Lck.exe, 1.exe, and locker.exe, appended the .akira extension, dropped akira_readme.txt, deleted Volume Shadow Copies, and in one case encrypted about 65,000 files on a server.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
In research published on 2026-05-27, SANS ISC reconstructed an Akira intrusion at a mid-sized organization using SSLVPN firewall syslog and Windows EVTX logs. The analysis traced initial access to a forgotten local VPN account without MFA and detailed discovery, Kerberoasting, RDP-based lateral movement, account creation, defense evasion, shadow-copy deletion, and rapid encryption, while emphasizing log-correlation-based detection opportunities.
In its research published on 2026-01-01, Sophos detailed Akira's use of credential theft, lateral movement, defense evasion, remote access tools, and a previously unreported backdoor named crome.exe communicating with 170.130.165[.]171.
A report published on 2024-04-19 said Akira had extorted about $42 million and had expanded its operations to target Linux servers. The update marked a notable escalation in the group's impact and platform targeting beyond previously documented activity.
Beginning in October 2023, Sophos observed a notable change in Akira operations toward data theft and extortion-only incidents in which attackers exfiltrated data without deploying ransomware.
In research published on 2023-08-22, SentinelOne reported that Akira intrusions repeatedly involved Cisco VPN access and identified the group's use of the legitimate RustDesk remote access tool for stealthy remote access and file transfer. The report also described post-compromise actions including SQL database manipulation, firewall disabling, enabling RDP, and disabling Windows security features.
According to Kroll, Cisco stated that Akira targeted the Cisco ASA zero-day CVE-2023-20269 in August 2023. The flaw enabled brute-force attacks and clientless SSL VPN sessions because of improper AAA separation.
A report published on 2023-07-26 said Akira ransomware had compromised at least 63 victims since beginning operations in March 2023. The reporting marked an early assessment of the group's scale and activity during its first months of operation.
Sophos said Akira began operating in March 2023 and quickly became a significant threat to small and medium-sized organizations in Europe, North America, and Australia across multiple sectors.
During 2023, Akira intrusions commonly began through unauthorized logins to Cisco ASA SSL VPN or Cisco AnyConnect instances without MFA, with some cases also involving exploitation of Cisco CVE-2023-20269 and Veeam CVE-2023-27532.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
isc.sans.edu
Open sourceisc.sans.edu
Open sourcenews.sophos.com
Open sourcesophos.com
Open sourcecommunity.fortinet.com
Open sourcethehackernews.com
Open sourcekroll.com
Open sourcebleepingcomputer.com
Open sourcenews.sophos.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.