The Akira ransomware group has made over $244 million in proceeds from its malicious activities, according to an updated joint advisory from government agencies in the US, France, Germany, and the Netherlands.
Active since at least March 2023, the hacking group is mainly known for deploying a ransomware variant tailored for VMware ESXi servers, in attacks targeting businesses and critical infrastructure organizations in North America, Europe, and Australia.
This year, however, the group expanded its toolset, and in a June 2025 attack it encrypted Nutanix Acropolis Hypervisor (AHV) VM disk files and exploited a SonicWall firewall vulnerability tracked as CVE-2024-40766.
Additionally, the ransomware gang started exploiting five more vulnerabilities for initial access this year, including CVE-2020-3580 (Cisco ASA and FTD), CVE-2023-28252 (Windows), CVE-2024-37085 (VMware ESXi), and CVE-2023-27532 and CVE-2024-40711 (Veeam Backup & Replication).
In addition to exploiting CVE-2024-40766, the Akira operators were seen compromising SonicWall appliances via stolen credentials. Initial access was also achieved through access brokers or by brute-forcing VPN endpoints.
“Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials,” the updated joint advisory reads.
In some attacks, the hackers exploited a router’s IP address to gain SSH access, tunneled command-and-control (C&C) server communication using Ngrok and other tools, and then exploited publicly disclosed Veeam vulnerabilities to compromise unpatched servers.
The Akira operators were seen using Visual Basic (VB) scripts, executing nltest commands for network and domain discovery, deploying remote access tools such as AnyDesk and LogMeIn, using Impacket to execute the remote command wmiexec.py, and uninstalling EDR products to evade detection.
The attackers were observed establishing a foothold within the compromised environments by creating user accounts and adding them to the admin group, exploiting Veeam services for privilege escalation, and moving laterally using AnyDesk, LogMeIn, RDP, SSH, and MobaXterm.
“In a reported incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by temporarily powering down the domain controller’s VM, copying the VMDK files, and attaching them to a newly created VM. This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory reads.
In some attacks, the Akira group exfiltrated data from victims’ environments within 2 hours of initial access.
The hackers then executed ransomware to encrypt the victim’s files (appending the .akira, .powerranges, .akiranew, .aki extensions), and deployed ransom notes in the root directory and in each user’s home directory.
Related: Synnovis Confirms Patient Information Stolen in Disruptive Ransomware Attack
Related: Nearly 30 Alleged Victims of Oracle EBS Hack Named on Cl0p Ransomware Site
Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks
Related: Critical WatchGuard Firebox Vulnerability Exploited in Attacks
