Akira Ransomware
Active double extortion operation targeting SMBs and mid-market organisations. Analysis based on 60 negotiation transcripts spanning March 2023 to present.
Active double extortion operation targeting SMBs and mid-market organisations. Analysis based on 60 negotiation transcripts spanning March 2023 to present.
Akira emerged in March 2023 and rapidly established itself as one of the most active ransomware operations targeting small and mid-sized businesses. The group operates a double extortion model: encrypting victim systems while simultaneously exfiltrating sensitive data, then threatening to publish stolen files on their Tor-based leak site if the ransom is not paid. Unlike some of the larger RaaS platforms, Akira appears to operate with a relatively centralised structure, which contributes to a more consistent and predictable negotiation style across engagements.
Our dataset of 60 negotiation transcripts — one of the largest single-group datasets in the public archive — provides substantial evidence for the patterns described in this profile. Akira has consistently targeted organisations across professional services, education, manufacturing, and healthcare, with a clear preference for companies in the $10M–$500M revenue range. The group has demonstrated a particular proficiency in identifying and exploiting network perimeter weaknesses, and their operational tempo has remained high since inception.
Akira's most common intrusion vector is compromised VPN credentials, with a strong preference for targeting Cisco AnyConnect and Fortinet FortiVPN appliances. In a significant number of cases examined through our forensic engagements, initial access was achieved through VPN accounts that lacked multi-factor authentication. The group has also been observed exploiting known vulnerabilities in VPN appliances, including CVE-2023-20269 (Cisco ASA/FTD) and older Fortinet vulnerabilities where patches had not been applied.
Secondary entry vectors include exposed Remote Desktop Protocol (RDP) services and, less frequently, phishing campaigns that deliver initial access payloads. Once inside the network, Akira operators typically move laterally within hours, using tools such as Advanced IP Scanner, PCHunter, and legitimate remote management software to map the environment and identify high-value targets for encryption and data exfiltration. The dwell time from initial access to encryption deployment varies but is often between 2 and 10 days, with data exfiltration typically occurring in the 24–48 hours before encryption.
The Akira encryptor was originally written in C++ and targeted Windows environments. In mid-2023, the group released a Rust-based variant designed to target Linux systems and VMware ESXi hypervisors — a significant capability expansion that allowed them to encrypt virtual machine disk files directly on hypervisor hosts, effectively taking down entire virtualised environments in a single operation.
Encrypted files receive the .akira extension. The encryption implementation uses a hybrid scheme combining ChaCha20 stream cipher with RSA public key encryption. The ransomware binary is typically deployed via group policy, PsExec, or through compromised domain controller access. The group deletes Volume Shadow Copies and disables Windows recovery options prior to encryption to impede victim recovery efforts.
Data exfiltration is typically conducted using WinSCP, Rclone, or FileZilla, with stolen data staged to attacker-controlled cloud storage or direct Tor transfers. The group does not appear to use custom exfiltration tooling, instead relying on widely available file transfer utilities that blend with normal network traffic.
Akira's negotiation behaviour is one of the most extensively documented in our archive. Across 60 transcripts, several clear patterns emerge that distinguish this group from its peers.
Initial ransom demands typically range from $200,000 to $4 million, calibrated roughly to the victim's perceived annual revenue. Demands are presented through a Tor-based negotiation portal where the victim is provided with a unique login credential. Communication is structured and professional — Akira negotiators generally respond within 12–24 hours and maintain a measured tone throughout the exchange.
What distinguishes Akira from many peer groups is a demonstrated willingness to negotiate. Our transcript data shows reductions ranging from 25% to 100% off initial demands, with the actual reduction depending on factors including the victim's financial position, the perceived value of stolen data, and the negotiation approach employed by the victim or their representatives. Some transcripts show outcomes where the victim paid nothing — typically in cases where the exfiltrated data was of limited sensitivity or the victim demonstrated that recovery from backups was feasible.
The group generally offers two separate “services”: a decryption key to restore encrypted files, and a promise to delete exfiltrated data without publication. In some negotiations, these are priced separately, providing additional negotiation surface for practitioners. The timeline pressure applied by Akira is moderate compared to groups like LockBit — they typically allow weeks of negotiation before escalating threats.
Akira demonstrates a clear operational preference for small and mid-market organisations. Analysis of publicly claimed victims and our negotiation transcripts shows a concentration in professional services firms, educational institutions, manufacturing companies, and healthcare providers. The group has been active across North America, Europe, and the Asia-Pacific region, though the majority of documented cases involve US and Canadian organisations.
The group generally avoids targets in the critical national infrastructure space and has not been associated with attacks on government agencies at the scale seen from groups like LockBit or Conti. This targeting pattern suggests either a deliberate effort to avoid the level of law enforcement attention that major infrastructure attacks attract, or a practical limitation of the group's operational capacity relative to the larger RaaS platforms.
All 60 Akira ransomware negotiation transcripts are available in our public archive. These transcripts provide verbatim records of communications between Akira operators and their victims, offering direct insight into negotiation tactics, demand structures, and outcomes.
| Status | ACTIVE |
| First Observed | March 2023 |
| Transcripts | 60 |
| Demand Range | $200K – $4M |
| Observed Reductions | 25% – 100% |
| Model | Double Extortion |
| Primary Targets | SMBs, Mid-Market |
| Entry Vectors | VPN (Cisco, Fortinet), RDP |
| Encryption | C++ / Rust (ESXi) |
| Platforms | Windows, Linux, VMware ESXi |
| Tone | Professional, structured |
| Response Time | 12–24 hours typical |
| Negotiability | HIGH |
| Timeline Pressure | Moderate |
| Portal | Tor-based, unique login |
If you believe Akira has targeted your organisation, contact Binary Response immediately. Our team has direct experience responding to Akira incidents and can advise on containment, negotiation, and recovery.
Get Emergency Help