According to their leak site, the group has compromised over 350 organizations, with victims who refuse payment seeing their data published in the dedicated “Leaks” section. The cybersecurity landscape faces a mounting threat as the Akira ransomware group intensifies operations, marking a significant evolution since its emergence in March 2023. Once inside a network, Akira deploys an arsenal of publicly available tools for reconnaissance, lateral movement, and data exfiltration before executing its encryption payload. In a particularly aggressive campaign during November 2023, the group posted over 30 new victims on their data leak site in a single day, demonstrating their expanding operational capacity. This sophisticated threat actor specializes in leveraging compromised credentials to access vulnerable VPN services lacking multi-factor authentication, predominantly exploiting known Cisco vulnerabilities. The ransomware has undergone notable improvements, with the Akira_v2 variant introducing advanced features such as targeted encryption paths, customizable encryption percentages, and specialized virtual machine targeting capabilities. “The incorporation of ‘Megazord’ in August 2023 represents a substantial upgrade in their capabilities,” noted Dark Atlas analysts after examining multiple attack patterns. The final stage involves deploying either the .akira or .powerranges file extension encrypted files, followed by ransom notes directing victims to a .onion URL for payment negotiations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Akira’s initial access strategy relies heavily on compromised VPN credentials, particularly targeting services without multi-factor authentication. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. For credential harvesting, they utilize sophisticated techniques including Kerberoasting and memory dumping tools such as Mimikatz to extract credentials from LSASS processes. The group has amassed approximately $42 million in ransom payments, targeting diverse sectors with particular focus on Education, Finance, Manufacturing, and Healthcare industries. Akira employs a double extortion strategy, first exfiltrating sensitive data before encrypting files on target systems. Darkatlas researchers identified a significant technical evolution in Akira’s toolkit, noting a transition from early C++ variants to more sophisticated Rust-based code. Once inside, the group deploys tools like Advanced IP Scanner and SoftPerfect Network Scanner to map the network environment. These tools facilitate the transfer of stolen data to attacker-controlled infrastructure before encryption begins. The impact of Akira’s operations has been substantial, with over 250 organizations across North America, Europe, and Australia falling victim as of January 2024. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 15:15:17 +0000