Akira Ransomware
What is Akira Ransomware?
Akira RansomwareA double-extortion ransomware-as-a-service operation first observed in March 2023, known for retro-styled leak sites and Cisco VPN intrusions.
Akira appeared in March 2023 and quickly became one of the most active ransomware-as-a-service brands, with a distinctive 1980s-style green-on-black leak site. CISA, the FBI, and Europol issued joint advisory AA24-109A in April 2024 stating Akira had hit more than 250 organizations and extorted roughly USD 42 million by January 2024. Initial access frequently abuses unpatched Cisco ASA and FTD VPN appliances (CVE-2023-20269) and compromised credentials without MFA. Akira encrypts files with ChaCha20 and protects keys with RSA-4096, and a Linux/ESXi variant targets VMware hypervisors. Code overlaps with the defunct Conti family suggest some shared lineage with former Conti operators.
● Examples
- 01
April 2024 CISA advisory AA24-109A attributing 250+ victims and USD 42 million in extortion to Akira.
- 02
Late-2023 Akira intrusions via Cisco ASA VPNs without multi-factor authentication.
● Frequently asked questions
What is Akira Ransomware?
A double-extortion ransomware-as-a-service operation first observed in March 2023, known for retro-styled leak sites and Cisco VPN intrusions. It belongs to the Malware category of cybersecurity.
What does Akira Ransomware mean?
A double-extortion ransomware-as-a-service operation first observed in March 2023, known for retro-styled leak sites and Cisco VPN intrusions.
How does Akira Ransomware work?
Akira appeared in March 2023 and quickly became one of the most active ransomware-as-a-service brands, with a distinctive 1980s-style green-on-black leak site. CISA, the FBI, and Europol issued joint advisory AA24-109A in April 2024 stating Akira had hit more than 250 organizations and extorted roughly USD 42 million by January 2024. Initial access frequently abuses unpatched Cisco ASA and FTD VPN appliances (CVE-2023-20269) and compromised credentials without MFA. Akira encrypts files with ChaCha20 and protects keys with RSA-4096, and a Linux/ESXi variant targets VMware hypervisors. Code overlaps with the defunct Conti family suggest some shared lineage with former Conti operators.
How do you defend against Akira Ransomware?
Defences for Akira Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Akira Ransomware?
Common alternative names include: Akira RaaS, Akira v2.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 215
Conti Ransomware
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.