Connect with us

Hi, what are you looking for?



Dozens of Organizations Targeted by Akira Ransomware

The Akira ransomware operators claim to have compromised 63 organizations since March 2023, mostly SMBs.

The Akira ransomware gang has compromised at least 63 organizations since March 2023, mostly focusing on small- to medium-sized businesses (SMBs), cybersecurity firm Arctic Wolf reports.

Likely opportunistic, the group consists of at least some Conti-affiliated threat actors and engages in double extortion tactics, exfiltrating victim data prior to encryption and threatening to release the data publicly unless a ransom is paid.

“The group does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for,” Arctic Wolf notes.

The Akira ransomware group demands ransom payments ranging between $200,000 and $4 million. If the victim does not pay, their name and data are added to the group’s leak site.

At least 63 organizations have been listed on the site since March 2023, but some of them have been removed. Roughly 80% of the victims are SMBs.

Distributed via the ransomware-as-a-service (RaaS) business model, Akira is a fast-growing threat that leverages compromised credentials for intrusion. Most of the victims, Arctic Wolf says, did not have multi-factor authentication (MFA) enabled on their VPNs.

According to CloudSek, the group also uses malicious email attachments, malicious ads, and pirated software to spread the ransomware, and exploits unpatched vulnerabilities in VPN endpoints. It was also observed exploiting VMware ESXi vulnerabilities for lateral movement.

Advertisement. Scroll to continue reading.

The group uses multiple readily available tools to obtain initial access to a victim’s environment and to perform system and data discovery, exfiltration, and command-and-control (C&C) activities.

The cybersecurity firm also identified code overlaps with the Conti ransomware, including similar functions and a similar implementation of the ChaCha algorithm for encryption.

Following the release of a decryptor for Akira on June 29, the ransomware operators modified the encryption routine, to prevent free file recovery.

Arctic Wolf also dived into the cryptocurrency wallet addresses used by the Akira ransomware operators, identifying additional wallets, and discovering overlaps with Conti activity, including three transactions in which over $600,000 were sent to Conti-affiliated addresses.

“Although Conti disbanded after increased pressure due to internal conflict and the publishing of their source code, many of the Conti members have continued to wreak havoc on organizations in 2023 through their activity with other Ransomware-as-a-Service groups, including Akira,” Arctic Wolf notes.

Related: Nubeva’s Ransomware Key Interception and Decryption Technology Validated in Third-Party Lab

Related: Tampa General Hospital Says Patient Information Stolen in Ransomware Attack

Related: Cosmetics Giant Estée Lauder Targeted by Two Ransomware Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.