Akira Group Racks Up $244 Million as Agencies Warn of New Tactics
That's quite a haul. The Akira ransomware group, active since at least March 2023, has already managed to squeeze over $244 million from its victims. This data comes from the latest updated joint advisory issued by government agencies from the US, France, Germany, and the Netherlands.
The Akira hackers were previously known mainly for their attacks on VMware ESXi servers, targeting businesses and critical infrastructure in North America, Europe, and Australia. However, it seems they aren't resting on their laurels.
New Arsenal and New Targets
In 2025, the group significantly expanded its toolkit. The report indicates that in a June 2025 attack, the perpetrators encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine disk files. Furthermore, they are actively exploiting a vulnerability in SonicWall firewalls (CVE-2024-40766).
Their list of "favorite" vulnerabilities used for initial access has also grown. It now includes:
- CVE-2020-3580 (Cisco ASA and FTD)
- CVE-2023-28252 (Windows)
- CVE-2024-37085 (VMware ESXi)
- CVE-2023-27532 and CVE-2024-40711 (both in Veeam Backup & Replication)
How Do the Akira Hackers Operate?
Besides exploiting the vulnerabilities listed above, Akira also gets into victim networks through more traditional methods. These include using stolen credentials for SonicWall appliances, buying access from other cybercriminals (access brokers), or classic brute-forcing of VPN endpoints. They also employ password spraying techniques, using tools like SharpDomainSpray.
Once inside the network, the real fun begins:
- Reconnaissance: They use Visual Basic (VB) scripts and
nltestcommands to map the network and domain. - Lateral Movement: To move through the network and escalate privileges, they use a whole suite of tools: AnyDesk, LogMeIn, RDP, SSH, MobaXterm, and Impacket (wmiexec.py).
- Evasion: Before the main strike, they methodically uninstall EDR (Endpoint Detection and Response) products to operate silently.
- Escalation: They create new user accounts and add them to administrative groups or exploit vulnerabilities in Veeam services.
The report also describes one particularly clever technique. To bypass Virtual Machine Disk (VMDK) file protection, the attackers temporarily powered down the domain controller's virtual machine, copied the VMDK files, and then attached them to a new VM they created. This allowed them to extract the NTDS.dit file and the SYSTEM hive, leading directly to the compromise of a domain administrator's account.
In some cases, the attackers were able to exfiltrate data within just 2 hours of gaining initial access. The final step is encrypting the files (adding .akira, .powerranges, .akiranew, or .aki extensions) and distributing ransom notes.
Akira isn't the only dangerous ransomware group – BlackCat 3.0 is equally destructive and uses similar double extortion tactics. It's also worth understanding zero-day vulnerability mechanisms exploited by most ransomware groups – read our comprehensive guide to 0-day vulnerabilities.
Source: Based on a joint advisory from government agencies (US, France, Germany, Netherlands)
Aleksander
About the Author
Dyrektor ds. Technologii w SecurHub.pl
Doktorant z zakresu neuronauki poznawczej. Psycholog i ekspert IT specjalizujący się w cyberbezpieczeństwie.
Powiązane artykuły
Ransomware Atakuje Asahi: Piwo Wylewa Się z Kranu, Ale Nie z Fabryki
Japoński gigant piwny Asahi Group Holdings padł ofiarą ransomware, co wstrzymało produkcję w kluczowych zakładach. Atak ujawnia, jak cyberprzestępcy celują w branże spożywcze, zagrażając globalnym łańcuchom dostaw i codziennym przyjemnościom milionów piwoszy.
Nowy Ransomware Paraliżuje Firmy: BlackCat 3.0 na Horyzoncie
Nowy wariant ransomware’u BlackCat 3.0 sieje spustoszenie wśród firm na całym świecie, wykorzystując zaawansowane techniki szyfrowania. Czy Twoja organizacja jest gotowa na to cyfrowe tsunami?
Gigant Logistyczny Sparaliżowany! Atak Ransomware Zatrzymuje Europejskie Dostawy
Jeden z największych operatorów logistycznych w Europie, firma "Trans-Europe Express", padł ofiarą zmasowanego ataku ransomware. Operacje w całej sieci zostały wstrzymane, co grozi poważnymi zakłóceniami w łańcuchu dostaw.
Komentarze
Ładowanie komentarzy...