Akira ransomware has targeted over 250 victims worldwide and made $42 million in ransom payments, utilizing various tactics to gain access to organizations' systems and exfiltrate data.
- Since early 2023, Akira ransomware has targeted organizations in multiple industries, including services, manufacturing, education, finance, and healthcare.
- The ransomware initially targeted Windows systems but has expanded to infect VMware ESXi virtual machines and has been used in conjunction with Megazord.
- Akira operators have been observed exploiting vulnerabilities in Cisco products, using RDP, spear-phishing, and valid credentials to gain initial access to victims' environments.
- The threat actors create new domain accounts for persistence, extract credentials, and disable security software to prevent detection.
- Akira exfiltrates victims' data before encrypting it and demands ransom payments in Bitcoin, threatening to publish exfiltrated data on the Tor network if demands are not met.