Executive summary

Akira is a prolific RaaS operation active since March 2023, impacting organizations across North America, Europe, and Australia. By Jan 1, 2024 it had hit 250+ organizations and amassed ≈$42M. Akira runs dual codebases: classic C++ (adds “.akira”) and a Rust line (“Megazord / Akira v2”) that can add “.powerranges” and targets VMware ESXi/Linux as well as Windows. CISA

In 2025, activity continues with reports of MSP-focused campaigns and suspected VPN appliance abuse (e.g., SonicWall incidents under investigation). Treat edge/VPN as highest risk. IT ProTechRadar

Attack chain (MITRE-mapped highlights)

Initial access — TA0001

• VPNs without MFA; frequent focus on Cisco ASA/FTD via CVE-2023-20269 (credential brute-force to clientless SSL VPN) and CVE-2020-3259 (memory disclosure → creds). Also RDP, spear-phishing, valid creds. KrollTruesecCisco BlogsCISA

Discovery / Privilege escalation — TA0007/TA0004

• Create new domain accounts (observed itadm), Kerberoasting, dump LSASS (Mimikatz/LaZagne), scan with SoftPerfect/Advanced IP Scanner. CISA

C2 / Staging — TA0011

• Remote admin/tunneling tools: AnyDesk, RustDesk, MobaXterm, Ngrok, Cloudflare Tunnel. CISA

Exfiltration — TA0010

• WinSCP, Rclone, FileZilla, archives with WinRAR, egress to MEGA/cloud buckets before encryption (double extortion). CISA

Impact — TA0040

• Hybrid crypto (ChaCha20 + RSA); ransom note fn.txt; file extensions .akira or .powerranges; Tor portal with unique victim code; initial note often omits a dollar amount. CISA

2024–2025 evolution to watch

• Rust/ESXi “v2” line appeared in early 2024; research shows ESXi-specific logic and additional extension .akiranew seen in the wild. Check Point Research

• MSP targeting emphasized in recent threat intel; compromises of a service provider can cascade to downstream clients. IT Pro

• SonicWall SSL-VPN incidents (mid-2025): investigations ongoing; harden/monitor even fully patched devices. TechRadar

Hunt & detect (quick wins you can deploy today)

Windows/AD

• Alert on VSS deletion + mass file rename + fn.txt drops.

• Detect new domain admin / account creations (look for odd admin names like itadm).

• LSASS access + Kerberoast patterns; unsigned PowerShell staging. CISA

VPN/Edge

• Look for clientless SSL-VPN sessions created without MFA; brute-force/spray to ASA/FTD; anomalous geography. Patch/monitor for CVE-2023-20269/CVE-2020-3259 indicators. Kroll

Exfil

• Unusual WinSCP/Rclone/FileZilla from servers; egress to MEGA/SFTP; large outbound SSH after hours. CISA

ESXi/Linux

• Sudden VM power-off waves; new SSH enablement; suspicious SFTP of encryptors to multiple hosts. (Rust/ESXi line). Check Point Research

Priority mitigations (that actually reduce risk)

1. Patch the edge first: Cisco ASA/FTD (CVE-2023-20269, CVE-2020-3259), VPNs, ESXi, RDP gateways. KrollTruesec

2. Phishing-resistant MFA (FIDO) on VPN/RDP; block or tightly allowlist RMM/tunneling tools. Kroll

3. Harden identity: monitor new admin creation, enforce least privilege, rotate creds after VPN patching (memory disclosure risk). Truesec

4. Exfil controls: DLP/outbound blocks for MEGA, restrict SFTP/SSH from non-admin segments; alert on Rclone/WinSCP. CISA

5. Resilience: offline/immutable backups; test restores; practice tabletop IR for double-extortion scenarios. CISA

Indicators & artifacts (use behavior > hashes)

• Note/extension: fn.txt, “.akira”, “.powerranges” (and occasionally “.akiranew”). CISACheck Point Research

• Tools often seen: AnyDesk/RustDesk/Ngrok/Cloudflare Tunnel; WinRAR + WinSCP/Rclone/FileZilla. CISA

Rapid response playbook (print-friendly)

1. Contain: isolate edge/VPN device, disable clientless SSL-VPN, block suspicious RMM, lock new admin accounts.

2. Preserve: collect ASA/FTD logs, VPN/RADIUS, AD, EDR, ESXi logs; snapshot affected VMs.

3. Hunt: search for fn.txt, .akira|.powerranges, VSS deletions, ASA brute-force, Rclone/WinSCP beacons.

4. Eradicate: patch ASA/FTD/ESXi; rotate creds (assume disclosure if CVE-2020-3259 window existed); remove persistence.

5. Recover & notify: restore from clean backups; execute breach notifications per sector laws; report to FBI/IC3/CISA. CISA

Sources / recommended reading

• CISA/FBI/EC3/NCSC-NL #StopRansomware: Akira — TTPs, IOCs, mitigations, statistics. CISA

• Check Point Research — deep dive on the Rust/ESXi (“v2”) line. Check Point Research

• Cisco — Akira campaigns against VPNs without MFA. Cisco Blogs

• Truesec — analysis of CVE-2020-3259 memory-leak abuse by Akira. Truesec

• Kroll — ASA/FTD focus, toolset during intrusions. Kroll

#CyberDudeBivash #Akira #Ransomware #RaaS #DoubleExtortion #ESXi #VPNSecurity #CISA #MITREATTACK #DFIR #XDR #ThreatIntel #IncidentResponse