Akira Ransomware: What the FBI, CISA and Europol Advisory Means for Defenders

A multi-agency joint advisory warns that Akira ransomware now threatens critical infrastructure and has claimed roughly $244 million, breaking in mainly through VPNs without MFA and unpatched Cisco, SonicWall and Veeam flaws. Here is how it operates and the official mitigations.
The FBI, CISA, Europol and partner agencies from the US, France, Germany and the Netherlands have refreshed their joint advisory on Akira ransomware, warning that the group now poses an imminent threat to critical infrastructure and has claimed roughly 244 million US dollars in proceeds. This is a defender's breakdown of how Akira breaks in and what the agencies say to do about it.
At a glance
What Akira is
Akira is a ransomware operation active since March 2023. The advisory links its operators to clusters tracked as Storm-1567, Howling Scorpius, Punk Spider and Gold Sahara, and notes possible connections to the now-defunct Conti group. After an initial focus on Windows, the actors added a Linux variant in April 2023 to target VMware ESXi virtual machines, and by a June 2025 incident were also encrypting Nutanix Acropolis Hypervisor virtual machine disk files, the first time the agencies observed them moving beyond VMware ESXi and Hyper-V.
Early Akira was written in C++ and appended a .akira extension. From August 2023 some attacks used a Rust-based encryptor called Megazord that appended .powerranges, though the advisory assesses Megazord has likely fallen out of use since 2024. A newer Rust variant, Akira_v2, appends .akira, .powerranges, .akiranew or .aki. Encryption is tuned to file type and size, using full or partial encryption to speed up large jobs.
How it gets in
The most common entry point the FBI and researchers observed is a VPN service that lacks multifactor authentication, reached mostly by exploiting known vulnerabilities. The advisory names CVE-2020-3259 and CVE-2023-20269 in Cisco products, and adds the Cisco ASA flaw CVE-2020-3580, VMware ESXi's CVE-2024-37085, Veeam's CVE-2023-27532 and CVE-2024-40711, and the SonicWall flaw CVE-2024-40766 as exploited for initial access. In the advisory's MITRE ATT&CK mapping, this is initial access by exploiting public-facing applications (T1190) and external remote services (T1133).
Beyond unpatched flaws, Akira actors use spearphishing, stolen or brute-forced VPN credentials (sometimes bought from initial-access brokers), password spraying with tools such as SharpDomainSpray, and external-facing Remote Desktop Protocol. In some cases they tunnelled in over SSH by abusing a router, then exploited unpatched Veeam backup servers. Once inside they create rogue domain accounts, harvest credentials via Kerberoasting and tools like Mimikatz and LaZagne, disable security software and EDR, and blend in using legitimate remote-access tools such as AnyDesk and LogMeIn.
The double-extortion model
Akira runs a double-extortion playbook: steal the data first, then encrypt the systems and threaten to leak what was taken. Exfiltration relies on common tools including FileZilla, WinRAR, WinSCP, RClone and cloud storage such as Mega, sometimes tunnelled through Ngrok or Cloudflare Tunnel. In some incidents the actors exfiltrated data in just over two hours from initial access.
Notably, Akira does not leave a ransom amount or payment instructions on the network. Victims receive a unique code and a Tor .onion address, and the demand is only relayed once the victim makes contact. Payments are made in Bitcoin to wallet addresses the actors provide. To pile on pressure, they threaten to publish stolen data on a Tor leak site and, in some cases, have phoned the victim companies directly. The encryptor also deletes Volume Shadow Copies to frustrate recovery (data encrypted for impact, ATT&CK T1486; inhibit system recovery, T1490).
Who it targets
The advisory says Akira primarily targets small and medium-sized businesses but has also hit larger organisations across many sectors. The actors show a notable preference for educational institutions and for the Critical Manufacturing, Information Technology, Healthcare and Public Health, Financial Services, and Food and Agriculture sectors. Geographically, victims to date span North America, Europe and Australia. The November 2025 update frames the activity as an imminent threat to critical infrastructure.
Notable victims
Akira's reach is easiest to grasp through the organisations it has hit. A few well-documented cases:
- Stanford University (2023). Akira breached the university's Department of Public Safety network between May and September 2023; Stanford later confirmed data on about 27,000 people was exposed.
- Nissan Oceania (December 2023). The attack on Nissan's Australia and New Zealand operations exposed data belonging to roughly 100,000 individuals.
- Tietoevry (January 2024). A ransomware attack on the Finnish IT-services firm knocked out one of its Swedish data centres, disrupting government agencies, universities and payroll systems across Sweden.
- BHI Energy (2023). The US energy-services firm disclosed that Akira actors dwelled on its network for about a month and stole roughly 690 GB of data, publishing an unusually detailed account of the intrusion.
The pattern is consistent: mid-sized and large organisations across education, energy, manufacturing and public services, reached through the exposure profile below.
Initial-access vectors and fixes
| Initial-access vector | What the advisory recommends |
|---|---|
| VPN access without MFA | Require MFA for all services, particularly VPNs, webmail and accounts that reach critical systems |
| Known exploited CVEs in VPN, hypervisor and backup products | Prioritise patching known exploited vulnerabilities in internet-facing systems; keep OS, software and firmware current |
| Stolen, brute-forced or sprayed credentials | Enforce long passwords (15 to 64 characters), account lockouts and identity and access management policies |
| External-facing RDP and remote-access tools | Disable unused ports and filter traffic so unknown or untrusted origins cannot reach internal remote services |
| Lateral movement after entry | Segment networks, apply least privilege and just-in-time admin access, and monitor for abnormal traffic with EDR |
| Backups destroyed or encrypted | Keep offline, encrypted and immutable backups and regularly test restoration |
How to detect Akira (IOCs and hunt tips)
Prevention aside, defenders should hunt for the traces Akira leaves. Signs to look for, drawn from the advisory and incident reporting:
- Ransom note. A file named
akira_readme.txtdropped in encrypted folders. - Encrypted-file extensions.
.akira,.powerranges,.akiranewor.aki. - Shadow-copy deletion. PowerShell deleting Volume Shadow Copies (for example
Get-WmiObject Win32_Shadowcopy | Remove-WmiObject) to block recovery. - Rogue accounts. Newly created domain or administrator accounts on domain controllers and servers.
- Credential theft. Kerberoasting and tools such as Mimikatz and LaZagne; password spraying with SharpDomainSpray.
- Remote-access tools. AnyDesk or LogMeIn, and tunnelling via Ngrok or Cloudflare Tunnel, appearing where they do not belong.
- Data-staging and egress. Rclone, WinSCP, FileZilla or WinRAR moving archives to Mega or other cloud storage.
What to do now
- Patch first. Prioritise remediating known exploited vulnerabilities on internet-facing systems and keep operating systems, software and firmware up to date.
- Turn on MFA everywhere it matters, especially VPNs, webmail and accounts that access critical systems, and adopt identity, credential and access management policies.
- Strengthen passwords. Require 15 to 64 character passwords, store them hashed, lock out repeated failed logins and avoid forcing frequent resets.
- Keep offline backups that are encrypted and immutable, cover the whole estate, and test the restoration process regularly. Hold extra copies in a physically separate, segmented location.
- Segment the network to contain spread and limit lateral movement between subnetworks.
- Monitor and detect. Use network monitoring and EDR to spot abnormal activity and lateral connections, and keep real-time antivirus enabled on all hosts.
- Cut off unused access. Disable unused ports, filter traffic from untrusted origins, and restrict command-line and scripting permissions.
- Audit accounts. Review domain controllers, servers and Active Directory for unrecognised accounts, apply least privilege, and use just-in-time access for admin roles.
India and global relevance
The advisory's confirmed victim footprint is North America, Europe and Australia, and the authoring agencies are from the US, the EU and the Netherlands. It does not name India or other Asian markets among observed victims, so any India-specific impact here is not established by this document and should not be inferred from it. That said, the entry points Akira favours are universal: internet-facing VPN appliances, unpatched Cisco, SonicWall and Veeam gear, exposed RDP, and weak or reused credentials are exactly the exposure profile of mid-sized firms, schools, hospitals and manufacturers everywhere, including across India and the wider Asia-Pacific. The mitigations are vendor-neutral and apply globally. For Indian organisations, the practical reading is to treat this as a tested playbook against the same equipment they run, and to report any incident to CERT-In and local law enforcement as the regional equivalent of the FBI and CISA reporting channels named in the advisory.
FAQs
Is the 244 million dollar figure the ransom paid? The advisory states Akira has claimed approximately 244.17 million US dollars in ransomware proceeds as of late September 2025. It does not break this into paid versus demanded, and earlier versions of the advisory cited a much lower figure, so treat it as the agencies' cumulative estimate rather than a single confirmed payout.
Which products are most at risk? The advisory ties initial access mainly to VPN services without MFA and to known flaws in Cisco, SonicWall and Veeam products, plus virtualization platforms VMware ESXi, Hyper-V and Nutanix AHV.
Does paying make the leak threat go away? The advisory does not recommend paying. Akira uses double extortion, threatening to publish stolen data on Tor regardless, and US guidance generally discourages payment because it does not guarantee recovery and funds further crime.
Is there a free Akira decryptor? For the original Windows variant (the one that appends .akira), yes: Avast released a decryptor in June 2023 that exploited a flaw in its encryption. The operators patched the flaw within days, so it does not work on newer builds, the Rust-based Akira_v2, or the Linux and VMware ESXi variants. There is no practical free decryptor for current Akira, which is why tested offline backups remain the only reliable recovery path.
How fast does an attack move? In some incidents the actors exfiltrated data in just over two hours from initial access, which is why patching, MFA and monitoring matter before an intrusion rather than after.
What is the single highest-impact fix? The advisory's top three are patching known exploited vulnerabilities, enforcing phishing-resistant MFA, and maintaining tested offline backups. For Akira specifically, MFA on VPN access closes its most common door.
Source: FBI, CISA, DC3, HHS, Europol EC3, France's Office Anti-Cybercriminalité (OFAC), Germany's Generalstaatsanwaltschaft Karlsruhe, Cybercrime-Zentrum Baden-Württemberg (C3BW) and LKA Baden-Württemberg, and NCSC-NL joint Cybersecurity Advisory, "#StopRansomware: Akira Ransomware" (AA24-109A), originally published April 18, 2024 and updated November 13, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a