Sophos reported that newly emerged Akira ransomware was deployed in two separate April 2023 attacks against organizations in North America, with victims’ files renamed using the .akira extension and ransom notes dropped as fn.txt. The company said the strain appears unrelated to a 2017 ransomware family of the same name. In one intrusion, attackers gained access to an account through MFA bypass activity linked to TOR exit nodes, dumped LSASS memory via comsvcs.dll launched with rundll32.exe, moved laterally over RDP, tampered with Windows Defender, installed AnyDesk, and launched encryption after about seven days in the environment.
In the second case, attackers entered through single-factor VPN access, likely harvested credentials as indicated by MEMORY.DMP, conducted reconnaissance with Advanced IP Scanner and LANSweeper data, used Cloudflare Tunnel and Radmin for remote access, and staged data with WinRAR before deploying ransomware after more than 30 days. Sophos said Akira targeted a relatively narrow set of 26 file extensions, focusing largely on databases, virtual disks, and memory image files while avoiding some file types to preserve system stability, and noted that the slower pace of both operations created multiple opportunities for defenders to detect and disrupt the attacks before encryption.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
In its analysis of the April 2023 incidents, Sophos assessed that the Akira ransomware strain used in those attacks was unrelated to a ransomware family of the same name from 2017. The report also documented differing intrusion methods and tooling across the two incidents.
Sophos reported on two ransomware incidents in North America in April 2023 in which different threat actors deployed the newly emerged Akira ransomware. In both cases, victims' files were encrypted with the ".akira" extension and ransom notes named "fn.txt" were dropped.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.