Akira
G10246 reportsAnalyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1588.007 (Artificial Intelligence), T1684 (Social Engineering).
- Primary targeting: US, MX, IR, DE.
- Steady activity: 2 report(s) in last 30d vs 1 prior (+100%).
- Hunt coverage 62% of 26 observed techniques (10 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 20
- CVE-2019-6693KEV1 rpt
- CVE-2021-27877KEV1 rpt
- CVE-2021-27878KEV1 rpt
- CVE-2021-40539KEV1 rpt
- CVE-2023-4966KEV1 rpt
- CVE-2024-21762KEV1 rpt
- CVE-2024-3400KEV1 rpt
- CVE-2024-37085KEV1 rpt
- CVE-2024-40766KEV1 rpt
- CVE-2024-55591KEV1 rpt
- CVE-2025-31161KEV1 rpt
- CVE-2025-31324KEV1 rpt
- CVE-2025-53770KEV1 rpt
- CVE-2025-61882KEV1 rpt
- CVE-2025-8088KEV1 rpt
- CVE-2026-34926KEV1 rpt
- CVE-2026-41091KEV1 rpt
- CVE-2026-45498KEV1 rpt
- CVE-2026-9082KEV1 rpt
- CVE-2025-537711 rpt
Overview
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)
ATT&CK technique matrix
- T1588.006 · Vulnerabilitiesconf 653
- T1588.007 · Artificial Intelligenceconf 602
- T1684 · Social Engineeringconf 602
- T1589.001 · Credentialsconf 602
- T1608.006 · SEO Poisoningconf 652
- T1584.008 · Network Devicesconf 601
- T1053.005 · Scheduled Taskconf 601
- T1047 · Windows Management Instrumentationconf 601
- T1213.002 · Sharepointconf 601
- T1059.007 · JavaScriptconf 601
- T1583.008 · Malvertisingconf 601
- T1003.002 · Security Account Managerconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|