Akira ransomware has claimed approximately $244.17m in ransomware proceeds since late September 2025.
This is according to a new joint cybersecurity advisory published on November 14 by US government agencies and international partners, which noted in some incidents Akira threat actors exfiltrated data in just over two hours from initial access.
Akira Exploits SonicWall Vulnerabilities
In June 2025, Akira ransomware operators demonstrated a significant evolution in their tactics by encrypting Nutanix AHV virtual machine disk files for the first time, the advisory noted.
This marks a departure from their previous focus on VMware ESXi and Hyper-V environments.
The ransomware group leveraged SonicWall vulnerability CVE-2024-40766 to gain the necessary access and execute the attack.
This latest update confirms previous reporting from multiple threat detection providers that Akira was targeting even patched SonicWall devices.
Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities.
The group also uses initial access brokers (IABs) for compromised VPN credentials. There are also notes that brute-forcing VPN endpoints and password spraying techniques have been used to gain access to account credentials.
SonicWall has previously urged customers who imported configuration settings from Gen 6 to newer firewalls to update to SonicOS 7.3, which has built-in protection against brute-force password and multi-factor authentication bypass (MFA) attacks.
Akira Targets SSH and Veeam to Breach Networks
In other incidents, indicators suggested that Akira threat actors gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address, the advisory noted.
After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers.
The criminals group also leverages remote access tools, such as AnyDesk and LogMeIn, to maintain persistence and pivot laterally once inside a network.This allows them to blend in with administrator activity.
Akira threat actors leverage Impacket, an open source tool designed for network protocol manipulation, to execute the remote command wmiexec.py. To evade detection, Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems.
Akira has also been observed by the organizations authoring the advisory creating new user accounts and adding them to the administrator group to establish a foothold in the environment.
In one incident, Virtual Machine Disk (VMDK) file protection was bypassed by temporarily powering down the domain controller’s VM, copying the VMDK files, and attaching them to a newly created VM. This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account.
Akira ransomware operators are using tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. They also leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise.
Sophisticated hybrid encryption schemes are used to lock data and the November 13 updated not that encrypted files are appended either with an .akira or .powerranges extension, or with .akiranew or .aki.
A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users).
Mitigation Recommendations
Organizations are encouraged to implement the recommendations in the mitigations section of the cybersecurity advisory to reduce the likelihood and impact of Akira ransomware incidents. These include:
- Prioritize remediating known exploited vulnerabilities
- Enable and enforce phishing-resistant multifactor authentication (MFA)
- Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process
This joint cybersecurity advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.