Threat Actor Profile

Akira

Aliases
  • Not available
Origin
Russia
Active Since
2023-03-01
Motivation
Extortion, Financial gain
Cause
Cybercriminal
Recent Activity

Akira remains an active ransomware threat targeting organizations across North America, Europe, and Australia, including critical infrastructure. CISA reporting notes Akira activity against Nutanix AHV environments, showing continued expansion beyond traditional Windows and Linux targets.

Primary Targets
  • Small and medium-sized businesses
  • Larger organizations
  • Critical infrastructure organizations
Target Locations
  • Australia
  • Canada
  • Germany
  • United Kingdom
  • United States
Target Sectors
  • Critical Infrastructure
  • Education
  • Finance
  • Healthcare
  • Manufacturing
  • Technology
Vulnerabilities

Internet-facing systems

VPN appliances

Backup solutions

Techniques
  • Ransomware-as-a-service

  • Double extortion

  • Data theft

  • Encryption

  • Exploitation of internet-facing systems

  • VPN appliance exploitation

  • Backup solution exploitation

  • Compromised credentials

  • Remote access tooling

  • Lateral movement

  • Rust-based payloads

  • Nutanix AHV targeting

Malware Tools
  • AnyDesk
  • LogMeIn
  • Rust-based ransomware variants
Bitsight Contextualized Intelligence
  • Akira has been operational since March 2023.

  • Akira operates as ransomware-as-a-service.

  • Akira is a fast-growing operation that combines affiliate scale with consistent execution against exposed systems.

  • Akira accounted for 670 confirmed attacks in 2025.

  • Akira targets small and medium-sized businesses, with expansion into larger organizations and critical infrastructure.

  • Akira targets manufacturing, healthcare, technology, finance, and education.

  • Akira activity is concentrated in the United States, the United Kingdom, Canada, Germany, and Australia.

  • Akira commonly uses exploitation of internet-facing systems, especially VPN appliances and backup solutions.

  • Akira also uses compromised credentials.

  • Akira uses tools such as AnyDesk and LogMeIn.

  • Akira has evolving payloads, including Rust-based variants.

  • Akira uses double extortion through data theft and encryption.

  • Akira reinforces how effective ransomware groups can remain without radically new tactics, especially when remote access paths are weak against exposed systems and access controls continue to produce significant results.

Defensive Takeaways
  • Patch VPN appliances and other internet-facing systems quickly

  • Enforce multifactor authentication for VPN, RDP, and remote access services

  • Monitor for unauthorized remote access tools

  • Restrict and monitor access to backup infrastructure

  • Maintain offline or immutable backups

  • Harden credential controls and monitor for compromised credentials

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo