Friday, May 9, 2025
HomeCyber AttackAkira Ransomware Launches New Cyberattacks Using Stolen Credentials and Public Tools

Akira Ransomware Launches New Cyberattacks Using Stolen Credentials and Public Tools

Published on

SIEM as a Service

Follow Us on Google News

The Akira ransomware group has intensified its operations, targeting over 350 organizations and claiming approximately $42 million USD in ransom proceeds by the beginning of 2024.

This sophisticated cybercriminal entity has been deploying a strategy known as “double extortion,” where data is encrypted and simultaneously stolen, with threats to leak the information unless a ransom is paid.

Exploitation Techniques and Initial Access

Akira’s modus operandi includes the exploitation of compromised credentials to gain initial access to networks, often bypassing single-factor authentication mechanisms like VPNs.

- Advertisement - Google News

The group has shown a particular interest in targeting mid-sized businesses, with a focus on sectors such as education, finance, manufacturing, and healthcare in North America, Europe, and Australia.

Their initial access tactics involve various known vulnerabilities, particularly in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software, identified by CVEs like CVE-2020-3259 and CVE-2023-20269.

The Akira ransomware has evolved from its initial C++ based code to incorporate Rust-based implementations named “Megazord,” encrypting files with the .powerranges extension.

According to Dark Atlas Report, this shift to Rust signifies an attempt to enhance the speed and robustness of their encryption processes, making recovery efforts by victims more challenging.

The group’s latest variant, Akira_v2, includes advanced features like the ability to insert additional threads for faster encryption, tailored encryption methods based on file type and size, and the use of unique Build IDs to thwart dynamic analysis.

Akira Ransomware
ransomware group has impacted over 250 organizations

Data Exfiltration Tactics

Once inside a network, Akira employs a range of publicly available tools for reconnaissance and data exfiltration.

Tools such as Advanced IP Scanner, SoftPerfect Network Scanner, and Nltest are used for network discovery, while legitimate software like AnyDesk, PuTTy, and RClone facilitate remote access and data transfer to cloud services or FTP servers they control.

This exfiltration stage is crucial in their double extortion strategy, where they threaten to leak stolen data on the dark web if ransoms are not met.

After setting up persistence through creating new domain accounts, Akira deploys its ransomware payloads targeting different system architectures within the same attack.

Their encryption process involves a hybrid scheme combining ChaCha20 for speed with RSA for secure key exchange, capable of both full and partial encryption.

Moreover, Akira uses PowerShell commands to delete volume shadow copies, hindering system recovery efforts.

From November 13 to 14, Akira posted over 30 new victims on their data leak site, marking their highest single-day activity since operations began.

Akira Ransomware
Data Leak Site

This escalation indicates an aggressive expansion of their operations, with a notable impact on sectors critical to both economy and security.

The group’s activities have been associated with cybercrime groups like GOLD SAHARA and PUNK SPIDER, indicating a broad and possibly expanding network of affiliates or operators.

The continuous adaptation by Akira underscores the critical need for robust cybersecurity measures, including multi-factor authentication for VPN access and regular backups of critical data.

Organizations must remain vigilant and proactive in their defense strategies to mitigate the growing threat from groups like Akira.

Indicators of Compromise (IOC):

File NameSHA-256 HashDescription
w.exed2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0caAkira ransomware
Win.exedcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05eAkira ransomware encryptor
AnyDesk.exebc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138Remote desktop application
VeeamHax.exeaaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015dCredential leaking tool
Akira_v23298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75, 0ee1d284ed663
Akira_v2 ransomware
Megazordffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc, dfe6fddc67bdc
Akira “Megazord” ransomware

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...