Summary:
CISA released a joint cybersecurity advisory this week which focuses on the Akira operator’s latest tactics, techniques, and procedures (TTPs). Most concerningly, is the speed at which Akira has been exfiltrating data from victims, just two hours from initial access. Additional reports this week show that Akira has claimed over $240 million in ransomware proceeds since September 2025.

CISA’s report highlights some of the more recent TTPs used by Akira:

• In June 2025, Akira ransomware operators demonstrated a significant evolution in their tactics by encrypting Nutanix AHV virtual machine disk files for the first time, the advisory noted.
• The ransomware group leveraged SonicWall vulnerability CVE-2024-40766 to gain the necessary access and execute the attack. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities.
• The group also uses initial access brokers (IABs) for compromised VPN credentials. There are also notes that brute-forcing VPN endpoints and password spraying techniques have been used to gain access to account credentials.
• In other incidents, indicators suggested that Akira threat actors gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address, the advisory noted. After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers.
• The criminals group also leverages remote access tools, such as AnyDesk and LogMeIn, to maintain persistence and pivot laterally once inside a network.This allows them to blend in with administrator activity. Akira threat actors leverage Impacket, an open source tool designed for network protocol manipulation, to execute the remote command wmiexec[.]py. To evade detection, Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems.
• Akira has also been observed by the organizations authoring the advisory creating new user accounts and adding them to the administrator group to establish a foothold in the environment.
• Akira ransomware operators are using tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. They also leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise.

Security Officer Comments:
Akira is one of the most prolific ransomware strains we have tracked in 2025, second only to Qilin by a small margin. To date, we have tracked 5,125 ransomware attacks in 2025, with Akira responsible for 469 (9.15%).

A majority of their victims have been in the US (66%), followed by: Germany (5%), Canada (3%), Italy (2%), Brazil (2%). The most targeted sectors for Akira are: Critical Manufacturing (158 Attacks), Commercial Facilities (85 Attacks), Legal (40 Attacks), Financial Services (37 Attacks), Information Technology (37 Attacks), Food and Agriculture (22 Attacks).

Suggested Corrections:
Organizations are encouraged to implement the recommendations in the mitigations section of the cybersecurity advisory to reduce the likelihood and impact of Akira ransomware incidents. These include:

• Prioritize remediating known exploited vulnerabilities
• Enable and enforce phishing-resistant multifactor authentication (MFA)
• Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process

Link(s):
https://www.infosecurity-magazine.com/news/akira-ransomware-244m-in-illicit/