Akira Ransomware

Akira is a ransomware-as-a-service operation active since March 2023 with confirmed ties to the former Conti ransomware group. The operation has caused over $42 million in damages across 250+ organizations, primarily gaining initial access through Cisco AnyConnect VPN vulnerabilities and compromised VPN credentials.

Attribute	Detail
Names	Akira Ransomware
Attribution	Ransomware-as-a-Service (Conti Lineage)
Active Since	2023
Primary Focus	$42M+ damages across 250+ victims. Targets VPN appliances. Linux/VMware ESXi variants.

Overview

Attribution

Akira Ransomware is attributed to Ransomware-as-a-Service (Conti Lineage), active since at least 2023. $42M+ damages across 250+ victims. Targets VPN appliances. Linux/VMware ESXi variants.

Notable Campaigns

Cisco AnyConnect VPN exploitation campaigns
VMware ESXi Linux encryptor deployment
Stanford University attack (2023)
Healthcare sector targeting across North America
Manufacturing and professional services targeting

MITRE ATT&CK Mapping

Technique ID	Technique	Confidence
`T1133`	External Remote Services	High
`T1486`	Data Encrypted for Impact	High
`T1490`	Inhibit System Recovery	High
`T1059`	Command and Scripting Interpreter	High
`T1048`	Exfiltration Over Alternative Protocol	High

Detection & Defense

Recommended Defenses

Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for Akira activity patterns.

Mjolnir Security — Threat Intelligence & Response

Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting Akira TTPs in your environment.

Threat Hunting Incident Response Threat Intelligence SOC-as-a-Service

mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875