Unmasking Akira: The ransomware tactics you can't afford to ignore

Sept. 22, 2025, 7:42 p.m.

Description

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access through VPN exploitation, discovery tools like Netscan and Advanced Port Scanner, privilege escalation via Veeam vulnerabilities, lateral movement through RDP and SSH, and exfiltration using tools like WinSCP and FileZilla. Akira targets backup systems, encrypts virtual disks and physical devices, and publishes stolen data on a Tor-based website. The group's activities show similarities to the Conti cybercrime organization, indicating possible links between them.

Tags
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction

Date

  • Created: Sept. 22, 2025, 8:04 a.m.
  • Published: Sept. 22, 2025, 8:04 a.m.
  • Modified: Sept. 22, 2025, 7:42 p.m.

Attack Patterns

  • Akira
  • Akira

Additional Informations

  • Retail
  • Healthcare
  • Finance
  • Manufacturing
  • United Kingdom of Great Britain and Northern Ireland