Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
Akira remains an active ransomware threat targeting organizations across North America, Europe, and Australia, including critical infrastructure. CISA reporting notes Akira activity against Nutanix AHV environments, showing continued expansion beyond traditional Windows and Linux targets.
Internet-facing systems
VPN appliances
Backup solutions
Ransomware-as-a-service
Double extortion
Data theft
Encryption
Exploitation of internet-facing systems
VPN appliance exploitation
Backup solution exploitation
Compromised credentials
Remote access tooling
Lateral movement
Rust-based payloads
Nutanix AHV targeting
Akira has been operational since March 2023.
Akira operates as ransomware-as-a-service.
Akira is a fast-growing operation that combines affiliate scale with consistent execution against exposed systems.
Akira accounted for 670 confirmed attacks in 2025.
Akira targets small and medium-sized businesses, with expansion into larger organizations and critical infrastructure.
Akira targets manufacturing, healthcare, technology, finance, and education.
Akira activity is concentrated in the United States, the United Kingdom, Canada, Germany, and Australia.
Akira commonly uses exploitation of internet-facing systems, especially VPN appliances and backup solutions.
Akira also uses compromised credentials.
Akira uses tools such as AnyDesk and LogMeIn.
Akira has evolving payloads, including Rust-based variants.
Akira uses double extortion through data theft and encryption.
Akira reinforces how effective ransomware groups can remain without radically new tactics, especially when remote access paths are weak against exposed systems and access controls continue to produce significant results.
Patch VPN appliances and other internet-facing systems quickly
Enforce multifactor authentication for VPN, RDP, and remote access services
Monitor for unauthorized remote access tools
Restrict and monitor access to backup infrastructure
Maintain offline or immutable backups
Harden credential controls and monitor for compromised credentials
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.