Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
Akira Group Racks Up $244 Million as Agencies Warn of New Tactics
Published: 00:00 11/17/2025
Ransomware
That's quite a haul. The Akira ransomware group, active since at least March 2023, has already managed to squeeze over $244 million from its victims. This data comes from the latest updated joint advisory issued by government agencies from the US, France, Germany, and the Netherlands.
The Akira hackers were previously known mainly for their attacks on VMware ESXi servers, targeting businesses and critical infrastructure in North America, Europe, and Australia. However, it seems they aren't resting on their laurels.
New Arsenal and New Targets
In 2025, the group significantly expanded its toolkit. The report indicates that in a June 2025 attack, the perpetrators encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine disk files. Furthermore, they are actively exploiting a vulnerability in SonicWall firewalls (CVE-2024-40766).
Their list of "favorite" vulnerabilities used for initial access has also grown. It now includes:
- CVE-2020-3580 (Cisco ASA and FTD)
- CVE-2023-28252 (Windows)
- CVE-2024-37085 (VMware ESXi)
- CVE-2023-27532 and CVE-2024-40711 (both in Veeam Backup & Replication)
How Do the Akira Hackers Operate?
Besides exploiting the vulnerabilities listed above, Akira also gets into victim networks through more traditional methods. These include using stolen credentials for SonicWall appliances, buying access from other cybercriminals (access brokers), or classic brute-forcing of VPN endpoints. They also employ password spraying techniques, using tools like SharpDomainSpray.
Once inside the network, the real fun begins:
- Reconnaissance: They use Visual Basic (VB) scripts and
nltestcommands to map the network and domain. - Lateral Movement: To move through the network and escalate privileges, they use a whole suite of tools: AnyDesk, LogMeIn, RDP, SSH, MobaXterm, and Impacket (wmiexec.py).
- Evasion: Before the main strike, they methodically uninstall EDR (Endpoint Detection and Response) products to operate silently.
- Escalation: They create new user accounts and add them to administrative groups or exploit vulnerabilities in Veeam services.
The report also describes one particularly clever technique. To bypass Virtual Machine Disk (VMDK) file protection, the attackers temporarily powered down the domain controller's virtual machine, copied the VMDK files, and then attached them to a new VM they created. This allowed them to extract the NTDS.dit file and the SYSTEM hive, leading directly to the compromise of a domain administrator's account.
In some cases, the attackers were able to exfiltrate data within just 2 hours of gaining initial access. The final step is encrypting the files (adding .akira, .powerranges, .akiranew, or .aki extensions) and distributing ransom notes.
Akira isn't the only dangerous ransomware group – BlackCat 3.0 is equally destructive and uses similar double extortion tactics. It's also worth understanding zero-day vulnerability mechanisms exploited by most ransomware groups – read our comprehensive guide to 0-day vulnerabilities.
Source: Based on a joint advisory from government agencies (US, France, Germany, Netherlands)
Aleksander
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Ransomware
Ransomware Hits Asahi: Beer Flows from Taps, But Not from Factories
Japanese beer giant Asahi Group Holdings fell victim to ransomware, halting production at key facilities. The attack highlights how cybercriminals target the food industry, threatening global supply chains and the daily pleasures of millions of beer enthusiasts.
06.10.2025
6 min
Ransomware
New Ransomware Cripples Companies: BlackCat 3.0 on the Horizon
A new variant of the BlackCat 3.0 ransomware is wreaking havoc among companies worldwide, leveraging advanced encryption techniques. Is your organization prepared for this digital tsunami?
06.10.2025
8 min
Ransomware
Logistics Giant Paralyzed! Ransomware Attack Halts European Deliveries
One of Europe's largest logistics operators, "Trans-Europe Express," has fallen victim to a massive ransomware attack. Operations across its entire network have been halted, threatening serious supply chain disruptions.
04.10.2025
4 min
Comments
Loading comments...