Akira Dual-Platform Ransomware: Active Targeting of Finance, Healthcare, and Critical Infrastructure

Active since March 2023, Akira is a ransomware-as-a-service group that has claimed more than 250 victims across North America, Europe, and Australia, accumulating over $42 million in confirmed ransom proceeds. The group targets organizations across critical infrastructure, financial services, healthcare, manufacturing, and education, and operates a dedicated leak site to pressure victims through double extortion. Notably, Akira deploys separate encryptors for Windows and VMware ESXi environments, meaning backup infrastructure is as much a target as production systems.

Akira gains initial access primarily through unpatched internet-facing appliances and VPN endpoints lacking multi-factor authentication, with Cisco ASA/FTD vulnerabilities and Veeam backup server weaknesses being documented entry points. Once inside, credential harvesting is a core focus: operators use public tooling like Mimikatz alongside purpose-built scripts targeting Veeam backup credentials to collect domain account material. Privilege escalation to domain administrator level follows quickly, with new accounts created to maintain persistent access alongside legitimate remote management tools like AnyDesk and covert tunnels via Ngrok.

Before deploying their encryptor, Akira operators invest time in defense evasion and data staging. Windows Defender is disabled and exclusions are added through registry modifications, while data is compressed using WinRAR and exfiltrated to cloud storage. Volume shadow copies are deleted to eliminate recovery options, after which the encryptor is deployed across Windows endpoints and ESXi hosts. Victims who pay still face the risk of public data exposure: the group publishes stolen data regardless of ransom outcome.