Akira Ransomware Targets Over 250 Organizations, Extracts $42 Million in Ransom Payments \u2013 New CISA Report
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A new advisory from the Cybersecurity and Infrastructure Security Agency reveals that Akira ransomware has become one of the most active threats targeting businesses worldwide.<\/p>\n
Since March 2023, this ransomware group has impacted more than 250 organizations across North America, Europe, and Australia, amassing approximately $244.17 million in ransom proceeds as of late September 2025.<\/p>\n
The threat actors behind Akira have connections to the defunct Conti ransomware group. Akira ransomware primarily targets small and medium-sized businesses across multiple sectors.<\/p>\n
The group shows a strong preference for manufacturing, educational institutions, information technology, healthcare, and financial services sectors.<\/p>\n
The threat actors gain initial access through virtual private network services without multi-factor authentication configured, exploiting known vulnerabilities in Cisco products.<\/p>\n
CISA security analysts identified<\/a> that Akira threat actors have continuously evolved their attack methods throughout 2024 and 2025.<\/p>\n The ransomware initially appeared as a Windows-specific C++ variant that encrypted files with the .akira extension.<\/p>\n By April 2023, the group deployed a Linux variant targeting VMware ESXi<\/a> virtual machines. In August 2023, they introduced the Megazord encryptor, a Rust-based tool that appends a .powerranges extension to encrypted files.<\/p>\n In June 2025, Akira threat actors successfully encrypted Nutanix AHV virtual machine disk files by exploiting CVE-2024-40766, a SonicWall vulnerability.<\/p>\n The ransomware employs a sophisticated hybrid encryption scheme that combines a ChaCha20 stream cipher with an RSA public-key cryptosystem for fast, secure key exchange.<\/p>\n Akira operates using a double-extortion model that combines data encryption with threats to leak sensitive information.<\/p>\n After gaining initial access, the threat actors establish persistence by creating new domain accounts and using credential-scraping tools such as Mimikatz and LaZagne to harvest passwords.<\/p>\n They leverage legitimate remote access tools such as AnyDesk<\/a> and LogMeIn to maintain access while blending in with regular administrator activity.<\/p>\n For data exfiltration, the group uses tools such as FileZilla<\/a>, WinSCP, and RClone to transfer stolen data to cloud storage services before encrypting it.<\/p>\n To inhibit system recovery, the Akira<\/a> encryptor uses PowerShell commands to delete Volume Shadow Copy Service copies on Windows systems.<\/p>\n The ransom note appears as fn.txt or akira_readme.txt and provides victims with instructions to contact the threat actors through a .onion URL accessible via the Tor network, with payments demanded in Bitcoin.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Akira Ransomware Targets Over 250 Organizations, Extracts $42 Million in Ransom Payments \u2013 New CISA Report<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nDouble Extortion and Persistence Tactics<\/strong><\/h2>\n