Akira updates its arsenal, extorts $250 million in ransomware proceeds
Akira, the second most active ransomware clan, has expanded its capabilities. It has introduced a new ransomware variant and has been attacking small and medium-sized businesses, claiming over 620 victims this year.
By late September 2025, the Akira ransomware group had claimed approximately $244.17 million (USD) in ransomware proceeds. The extorted sum increased by more than fivefold compared to the previous estimate in April of last year.
The threat actors have updated their cyberweapon arsenal and are using a new Akira_v2 ransomware variant that enables faster encryption speeds and further inhibits system recovery.
Increased activity prompted the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and other authorities to issue a joint updated advisory, alerting defenders about the gang’s novel tactics.
“Akira ransomware doesn’t just steal money – it disrupts the systems that power our hospitals, schools, and businesses,” said Brett Leatherman, FBI Cyber Division Assistant Director.
“Behind every compromised network, you’ll find real people and communities harmed by callous cyber criminals.“
Among the 298 ransomware groups tracked by ransomware.live, Akira currently is the second most active, with 620 victims claimed in 2025 alone. It only trails behind Qilin, the most dangerous variant that targeted 812 victims this year.
Rising danger
CISA warns that Akira presents an imminent threat to critical infrastructure and all organizations.
“We urge every organization, large or small, to follow the guidance released today and take steps now to protect their organizations against ransomware threats,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA.
Akira’s affiliates primarily target small and medium-sized businesses. However, they’ve also impacted large organizations in the past. The cybercriminals prefer the manufacturing, education, information technology, healthcare, public health, financial services, and food and agriculture sectors.
It seems that Akira is pivoting hard to target cloud infrastructure. This summer, it encrypted Nutanix AHV virtual machine disk files for the first time, expanded its capabilities beyond VMware ESXi and Hyper-V, exploited SonicWall vulnerability, and gained access to VPN products.
How does Akira operate?
To gain initial access, Akira exploits vulnerabilities in edge devices and backup servers. It employs multiple techniques, including authentication bypass, cross-site scripting, buffer overflow, compromised credentials, and brute-force attacks. Victims with unpatched systems, particularly those without multi-factor authentication (MFA), are the first to fall.
Once inside the victim’s network, Akira establishes persistence by creating new domain accounts to abuse the functions of domain controllers, which manage all users, computers, and permissions.
Defenders note that the hackers often create an admin account named “itadm.” Recently, they’ve been abusing nltest, a legitimate Windows command-line tool, for network and domain discovery. To run remote commands, cybercriminals leveraged Impacket, an open-source tool designed for network protocol manipulation.
To stay undetected, Akira will simply uninstall endpoint detection and response (EDR) systems.
“Threat actors use remote management and monitoring tools such as AnyDesk and LogMeIn to mimic administrator activity, and modify firewall settings, terminate antivirus processes, and uninstall EDR systems,” CISA explains.
To stay in control, Akira hackers create more fake user accounts and give them administrator privileges. In one case, they bypassed Virtual Machine Disk (VMDK) protection by temporarily shutting down the domain controller, copying the VMDK files, and then attaching them to a newly created virtual machine, which allowed them to extract highly privileged credentials.
Akira utilizes common remote access tools and protocols, including RDP, SSH, and stolen Kerberos authentication tickets, to move laterally. For command and control, the hackers rely on tunnels to bypass perimeter monitoring. Lately, they’ve been using Ngrok to establish encrypted sessions.
“In some incidents, Akira threat actors exfiltrated data in just over two hours from initial access,” CISA warns.
Akira’s encryptors use a sophisticated hybrid encryption scheme to lock data. The new Akira_v2 variant leaves encrypted files with several extensions: .akira, .powerranges, .akiranew, or .aki. Ransom notes, named “fn.txt” or “akira_readme.txt” appear in the root directory (C:) and each user’s home directory.
The updated advisory includes the full list of identified indicators of compromise, leveraged tools, and other tactics.
While Akira’s tactics are new, recommended mitigation strategies remain the same. The first of these is to prioritize patching known exploited vulnerabilities and keeping all systems up to date. The second is to require MFA for all services.
“CISA and its partners strongly encourage organizations to apply patches for known vulnerabilities, especially those affecting VPN products and backup servers, and enforce multifactor authentication for all remote access services,” CISA said.
Established in 2023, Akira operates as a ransomware-as-a-service (RaaS). The gang, known for multi-extortion tactics, is named after a Japanese cyberpunk manga.
Unlock more exclusive Cybernews content on YouTube.
