ransomware

Akira Ransomware: Conti Lineage, VPN Exploitation, and Double Extortion at Scale

Akira ransomware, first observed in March 2023, is attributed to a financially motivated cybercrime group composed of former Conti affiliates. The group operates a ransomware-as-a-service (RaaS) model, reusing code and infrastructure from Conti, and has been responsible for...

Wes

Wes

12 min read
Akira Ransomware: Conti Lineage, VPN Exploitation, and Double Extortion at Scale
Single-factor VPN? Enjoy Akira’s neon BOGO encryption sale.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Tired of writing "strategic stakeholder" reports? -- just to show your value? Trying to do it with ChatGPT yourself? Wish ChatGPT actually understood threat intelligence?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 15 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

    • Akira ransomware, operated by former Conti affiliates, leverages VPN vulnerabilities and credential abuse for initial access, with a focus on organizations lacking multi-factor authentication (MFA).
    • Immediate enforcement of MFA and patching of remote access infrastructure are critical to reducing risk.
    • The group employs double extortion tactics, rapid data exfiltration, and hybrid encryption (ChaCha20/RSA), targeting healthcare, manufacturing, technology, and financial sectors globally.
    • Deploy endpoint detection and response (EDR), harden credential access, and implement immutable, offline backups to mitigate impact.
    • Akira’s operational scale is increasing, with mass data leak events and evolving TTPs, including Linux/ESXi targeting and cloud exfiltration tools.
    • Continuous monitoring, DLP deployment, and regular restoration drills are essential for resilience.

Executive Summary

Akira ransomware, first observed in March 2023, is attributed to a financially motivated cybercrime group composed of former Conti affiliates. The group operates a ransomware-as-a-service (RaaS) model, reusing code and infrastructure from Conti, and has been responsible for over 250 incidents and $42 million in ransom payments as of early 2024. Akira’s primary initial access vectors include exploitation of VPN vulnerabilities (notably Cisco CVE-2020-3259, CVE-2023-20269), spear phishing, and abuse of stolen credentials, with a marked focus on organizations lacking enforced MFA.

Akira targets a broad range of sectors—most notably healthcare, manufacturing, technology, and financial services—across the US, France, Australia, UK, and Sweden. The group’s attack chain features credential dumping (Mimikatz, LaZagne), lateral movement (Kerberoasting, domain account creation), data exfiltration (FileZilla, RClone, WinSCP, WinRAR), and double extortion via Tor-based ransom notes. Hybrid encryption (ChaCha20/RSA) and deletion of shadow copies are used to maximize operational disruption and ransom leverage.

Recent campaigns have demonstrated Akira’s ability to scale, with mass data leak events (e.g., 35+ victims in a single day, November 2024) and rapid adoption of Linux/ESXi and cloud-native exfiltration techniques. The group’s TTPs align closely with those of Conti, Wizard Spider, and related post-RaaS actors, indicating ongoing affiliate dispersal and code reuse.

Recommended mitigations include immediate enforcement of MFA and patching of remote access infrastructure, deployment of EDR with behavioral analytics, hardening of credential access, and implementation of immutable, offline backups with regular restoration testing. Organizations should monitor for Akira’s exfiltration tools, conduct quarterly backup drills, and maintain continuous detection for credential dumping and lateral movement. Failure to address these vectors will likely result in increased risk of ransomware impact, data leaks, and operational disruption as Akira’s tactics continue to evolve.

Suggested Pivots

  1. What specific vulnerabilities, including ... (upgrade to see more!) ..., and how can organizations prioritize patching and detection of these vectors to prevent intrusions?

  2. How effective are current endpoint detection and response (EDR) solutions like ... (upgrade to see more!) ... in mitigating Akira ransomware attacks, considering documented Akira techniques for bypassing defenses such as disabling security processes and ... (sign up to see more!) ...?

  3. What are the operational impacts and financial consequences of Akira’s ... (upgrade to see more!) ..., and how do victim response strategies (e.g., ransom payment vs. incident reporting) influence the likelihood of data leak publication and repeat targeting?

Research & Attribution

Historical Context

Akira ransomware emerged in March 2023 as a ransomware-as-a-service (RaaS) operation known for double extortion tactics, targeting a wide range of industries globally, including healthcare, manufacturing, and technology. It is widely attributed to former affiliates of the Conti ransomware group, which disbanded in 2022. Akira has evolved from Conti affiliates, reusing ransomware variants such as Megazord and Akira_v2, and employing sophisticated intrusion techniques including exploitation of VPN vulnerabilities and credential dumping. The group has been responsible for over 250 ransomware incidents and approximately $42 million in ransom payments as of early 2024.

Timeline

  • 2022: Conti ransomware group disbands amid law enforcement pressure and internal leaks.
  • March 2023: Akira ransomware group emerges, believed to be operated by former Conti affiliates.
  • June 2023: Akira deploys Linux variants targeting VMware ESXi virtual machines.
  • August 2023: Akira targets VPNs lacking multi-factor authentication (MFA).
  • April 2024: Joint advisory issued by CISA, FBI, Europol, and NCSC-NL detailing Akira TTPs and IOCs.
  • November 2024: Akira publishes data of 35+ victims in a single day, indicating operational scale.
  • 2024–2025: Continued ransomware campaigns with double extortion and evolving tactics.

Origin

Akira ransomware is attributed to a financially motivated cybercrime group composed of former Conti affiliates. This attribution is supported by malware analysis showing code reuse (e.g., Megazord ransomware), shared infrastructure, and operational tactics consistent with Conti’s playbook. The group operates as a RaaS, recruiting affiliates to conduct intrusions and deploy ransomware variants on both Windows and Linux systems.

Countries Targeted

  1. United States – Primary target with the highest number of detected Akira ransomware incidents.
  2. France – Significant targeting, accounting for over 50% of detected Akira attacks in some studies.
  3. Australia – Notable attacks including the January 2023 Nissan Oceania incident.
  4. United Kingdom – Targeted in joint advisories and ransomware campaigns.
  5. Sweden – Victims include cloud providers and service companies.

Sectors Targeted

  1. Healthcare – Frequent target due to sensitive data and critical operations.
  2. Manufacturing – Targeted for operational disruption and ransom potential.
  3. Technology – Attacks on tech firms to leverage intellectual property.
  4. Financial Services – Targeted for financial gain and data theft.
  5. Government – Targeted for disruption and potential espionage.

Motivation & Attack Types

Akira ransomware actors are financially motivated, employing a double extortion model that encrypts data and threatens to leak stolen information to maximize ransom payments. The group’s motivation aligns with that of former Conti affiliates, focusing on monetary gain through ransomware and data extortion.

  • Initial access via exploitation of VPN vulnerabilities (e.g., Cisco CVE-2020-3259, CVE-2023-20269), spear phishing, RDP abuse, and stolen credentials.
  • Deployment of ransomware variants including Megazord and Akira_v2 targeting Windows and Linux systems.
  • Use of credential dumping tools such as Mimikatz and LaZagne.
  • Lateral movement and privilege escalation through domain account creation and Kerberoasting.
  • Data exfiltration using tools like FileZilla, RClone, WinSCP, and WinRAR.
  • Double extortion with ransom notes delivered via Tor onion sites.
  • Encryption using hybrid ChaCha20 and RSA schemes.
  • Deletion of volume shadow copies to inhibit recovery.

Known Aliases

  1. Akira Ransomware (Google GTI, CISA, Fortinet)
  2. GOLD SAHARA (Secureworks)
  3. PUNK SPIDER (Fortinet)
  4. Conti (Google GTI / General Industry)
  5. Wizard Spider (Google GTI)
  6. TrickBot (Google GTI)
  7. Diavol (CrowdStrike, Trend Micro)

Akira is linked to former Conti affiliates, part of the broader Wizard Spider cybercrime ecosystem. Shared tooling, infrastructure, and personnel overlap with Conti and related groups such as Diavol and TrickBot have been documented.

Similar Threat Actor Groups

  • Conti affiliates who rebranded or joined other ransomware operations such as Diavol.
  • Other post-RaaS groups like REvil and BlackMatter, showing similar affiliate dispersal and code reuse.
  • FIN12, another financially motivated group with ties to Conti affiliates.

Breaches Involving This Threat Actor

  • October 2023: Stanford University data breach claimed by Akira.
  • January 2024: Cloud provider Tietoevry attacked by Akira, affecting multiple Swedish companies.
  • March 2024: Nissan Oceania ransomware attack attributed to Akira.
  • November 2024: Akira published data of 35+ victims in a single day.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)

Read more