Akira Ransomware: Analysis, Detection, and Recovery

Akira Ransomware: Unraveling the Threat of a Cyberpunk-Inspired Nemesis

In the ever-evolving world of cyber threats, a new malevolent force has emerged with a flair for the dramatic and a penchant for chaos. Akira Ransomware, first detected in early 2023, has quickly escalated to infamy, not just for its disruptive capabilities but also for its distinctive ‘retro aesthetic’ reminiscent of the iconic 1988 anime movie “Akira”. This comprehensive analysis delves deep into the anatomy of Akira ransomware, exploring its tactics, impact, and the measures organizations can take to shield themselves from this digital predator.

The Emergence of Akira Ransomware

March 2023 marked the arrival of a new adversary in the cybersecurity arena. Named after the cyberpunk classic “Akira”, Akira ransomware has since haunted the digital corridors of large enterprises, leaving a trail of encrypted files and hefty ransom demands in its wake. The ransomware’s emergence was a stark reminder that the threat landscape is constantly shifting, with attackers always seeking new ways to exploit, intimidate, and profit from their victims.

Target Demographics and Victimology

Akira ransomware exhibits no favoritism when it comes to its victims. From the educational to the financial sector, and from manufacturing to real estate, the ransomware has cast a wide net, ensnaring a diverse range of industries in its malicious grip. As reported by Sophos, small to medium-sized businesses have been particularly vulnerable, although its reach extends to various sectors and geographic locations, predominantly within the United States and allied countries.

Delivery and Exploitation Tactics

The insidious nature of Akira ransomware lies in its delivery and exploitation tactics. The malware typically gains initial access through public-facing services or applications, exploiting weaknesses in multi-factor authentication (MFA) and known vulnerabilities such as CVE-2023-20269, a notable weakness in certain VPN software. By focusing on these chinks in the armor, Akira ransomware actors manage to infiltrate networks and lay the groundwork for their attack.

Technical Characteristics of Akira Ransomware

Once inside, Akira ransomware exhibits a series of technical characteristics that make it particularly potent. It leverages PowerShell commands to dismantle defense mechanisms like volume shadow copies, appending the .akira extension to the files it encrypts. The ransomware utilizes the Windows Restart Manager API to terminate processes that may prevent file encryption, ensuring a higher success rate in its encryption endeavors. With a predefined list of target file extensions, Akira is thorough yet discriminative, avoiding critical system files to maintain the operability of the infected system for ransom negotiations.

The Akira Ransomware Attack Process

The attack process of Akira ransomware is a multi-stage operation that begins with credential access. Actors behind Akira frequently engage in credential dumping, particularly targeting the LSASS process to obtain user accounts and password hashes. Tools like VmConnect.exe facilitate lateral movement, while persistence is often established through creating new user accounts or modifying registry keys. To maintain stealth, Akira actors may attempt to disable endpoint protections like Sophos and Windows Defender, or employ command execution tools such as runas under different user contexts.

Ransom Notes and Payment

Victims of Akira ransomware are greeted with a ransom note, a text file named “akira_readme.txt”, which contains instructions for contacting the attackers via a TOR-based portal using a unique identifier. The ransom demands are typically made in cryptocurrency, a standard in the ransomware economy due to the anonymity and difficulty in tracing such transactions.

Multi-Extortion and Data Leak Tactics

In a twist of strategy, Akira ransomware actors have been observed shifting to extortion-only operations, threatening to release exfiltrated data unless the ransom is paid. This multi-extortion tactic adds pressure on victims to comply, as their sensitive data is at risk of being publicized on the ransomware’s Data Leak Site (DLS), a TOR-based website where non-compliant victims are listed along with any stolen data.

Detection and Mitigation Strategies

Detecting and mitigating the threat posed by Akira ransomware requires a robust cybersecurity posture. The SentinelOne Singularity XDR Platform stands as a formidable defense, capable of identifying and neutralizing Akira-related malicious activities. For organizations without SentinelOne, deploying anti-malware tools, monitoring network traffic for indicators of compromise, and implementing stringent backup and recovery plans are crucial steps in fortifying their digital defenses.

As the cybersecurity community rallies to combat the Akira ransomware menace, experts from various organizations have pooled their knowledge to dissect its modus operandi. The insights gleaned from these analyses provide a beacon of guidance for those looking to fortify their defenses against this formidable foe.

The Response from Cybersecurity Communities

The Sophos MDR Threat Intelligence team has been at the forefront, observing and documenting over a dozen incidents involving Akira ransomware. Their findings have been instrumental in understanding the ransomware’s evolution and the shifting tactics of its operators. Similarly, Trellix’s in-depth investigation has shed light on the ransomware’s double extortion methods and its penchant for targeting companies in the United States, particularly those in the services & goods and manufacturing sectors.

Mitre ATT&CK Techniques Employed by Akira

Akira ransomware’s tactics align with several techniques outlined in the MITRE ATT&CK framework. These include OS Credential Dumping, Exfiltration Over Alternative Protocol, and Remote Services like Remote Desktop Protocol. Understanding these techniques offers a strategic advantage in predicting and preventing Akira’s maneuvers.

Preventative Measures and Best Practices

To guard against Akira ransomware, organizations must adopt a suite of preventative measures and best practices. This includes maintaining up-to-date security patches, especially for known vulnerabilities like CVE-2023-20269, and enforcing robust MFA protocols. Regular security audits and cybersecurity awareness training for employees are also critical in mitigating the risk of phishing and other social engineering attacks.

Cryptocurrency and Ransomware

The use of cryptocurrency in ransomware operations, including Akira, presents a significant challenge in tracing payments and apprehending perpetrators. The anonymity provided by cryptocurrencies like Bitcoin has become a preferred method for attackers, complicating the efforts of law enforcement agencies to track and disrupt ransomware campaigns.


The emergence of Akira ransomware serves as a stark reminder of the dynamic and persistent nature of cyber threats. It underscores the importance of comprehensive cybersecurity strategies that encompass not only technological solutions but also employee education and robust incident response plans. As attackers continue to refine their tactics, the collective knowledge and vigilance of the cybersecurity community remain our best defense against threats like Akira.

In the face of such threats, organizations must remain ever-vigilant, continuously updating their security measures and educating their workforce on the latest tactics used by cybercriminals. By doing so, they can create a resilient defense against the sophisticated and evolving menace of Akira ransomware.

As we conclude this analysis, it is clear that the battle against Akira ransomware—and indeed, all forms of cybercrime—is ongoing. Through collaboration, education, and the implementation of advanced security technologies, we can hope to stay one step ahead of these digital adversaries.