Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Akira Ransomware

94
Global rank
76 infographic chevron month
Month rank
58 infographic chevron week
Week rank
0
IOCs

Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.

Ransomware
Type
Unknown
Origin
1 March, 2023
First seen
3 September, 2025
Last seen

How to analyze Akira Ransomware with ANY.RUN

Type
Unknown
Origin
1 March, 2023
First seen
3 September, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 717
comments 0
post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 943
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 2307
comments 0

What is Akira malware?

Akira is a ransomware-as-a-service that became known in the spring of 2023 as a weapon in the hands of Howling Scorpius group. Its ability to adapt, exploit vulnerabilities, and employ double-extortion tactics makes it a significant cybersecurity concern. That perception has been well-supported by hundreds of victims with ransom payments surpassing $40 mln.

It targets a spectrum of industries, including finance, technology, healthcare, education, and manufacturing. Being a human-operated ransomware, it can be manually adapted to bypass network defenses.

This ransomware uses a variety of methods to gain initial access to networks, often exploiting weaknesses in external-facing systems or human error. The methods include phishing, stolen credentials, VPN vulnerabilities, exploit kits and RMM tools.

Akira ransomware analysis in ANY.RUN Akira Ransomware ransom note shown inside ANY.RUN's Interactive Sandbox

Once inside the network, Akira conducts a multi-stage attack: first it creates scheduled tasks and registry keys to maintain access, deploys backdoors to allow re-entry. It spreads in the network and scans it for valuable data. It exfiltrates the data and then encrypts it on the endpoint adding an .akira file extension which is a reference to the 1988 Japanese anime "Akira". A ransom note with payment instructions is generated.

Akira is good at evasion: it abuses native Windows tools to execute payloads, leverages process injection and living-off-the-land techniques (LOLBins). Some components execute filelessly, directly in memory, reducing the footprint on disk.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Akira’s Prominent Features

Considering the basic TTPs, Akira is similar to most ransomware families, but it has a number of outstanding features that render it notably dangerous:

  • Akira is not industry specific though it prefers to target small and medium businesses.
  • Hackers actively manage the attack lifecycle. It grants Akira sophistication and adaptability, better evasion, longer dwell time and higher success rate
  • Akira can be quick and has been observed to move from initial access to information exfiltration in just two hours which is much faster than average.
  • Akira’s operators practice a "decryption proof" providing to build trust and pressure victims into paying the ransom.

Akira’s Execution Process and Technical Details

ANY.RUN's Interactive Sandbox allows to detonate Akira on virtual machine with set-up parameters while bypassing its sandbox evasion capabilities.

View sandbox analysis

The execution chain of Akira ransomware involves several key steps, from initial access to data encryption. Initially, Akira operators may gain entry through multiple methods, including exploiting VPNs without multi-factor authentication (MFA) and other known vulnerabilities. Once inside, they focus on privilege escalation and lateral movement.

Akira ransomware analysis in ANY.RUN Akira Ransomware analysis inside ANY.RUN's Interactive Sandbox

Post-infiltration, Akira uses tools like Advanced IP Scanner, MASSCAN, PCHunter, SharpHound, AdFind, and net Windows commands to map networks, identify critical systems, and gather domain information.

It uses credential-dumping tools (e.g., Mimikatz, LaZagne) to extract credentials from memory (LSASS) or browsers. In some cases, Akira extracts the NTDS.dit file from domain controllers by manipulating virtual machine (VM) backups, granting access to domain admin privileges.

To evade detection, Akira actors employ various defense evasion strategies. They may use tools such as PowerTool, KillAV, and Terminator to disable antivirus solutions. Registry modifications are performed to disable or reconfigure Microsoft Defender and to hide accounts on the login screen, ensuring their malicious activities remain undetected for as long as possible.

Akira ransomware analysis in ANY.RUN ANY.RUN highlights malicious activities performed by Akira Ransomware

In the final stages, attackers exfiltrate and encrypt data. Akira uses a combination of ChaCha20 and RSA encryption algorithms for secure data encryption. Files are renamed with the .akira extension, and a ransom note is left behind. PowerShell commands are executed to delete Volume Shadow Copy Service (VSS) files—preventing easy file recovery.

In one observed instance, a PowerShell process (PID 5008) deleted these VSS files. Data is also compressed (using tools like WinRAR, FileZilla, WinSCP, Rclone) and exfiltrated, often camouflaged as legitimate traffic to avoid detection.

After encrypting and exfiltrating data, Akira places ransom notes, such as akira_readme.txt, in various directories. These notes provide instructions for victims to recover their encrypted files by paying a ransom. The ransom demand marks the culmination of the attack, as the attackers attempt to extort payment in exchange for the decryption key.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Akira malware

Akira continues to steadily spread and to result in more victims calling for special attention by SOC teams for timely prevention and response. Use Threat Intelligence Lookup to track IOCs like C2 domains, hashes, and known IPs related to Akira; apply YARA rules to identify malicious binaries and scripts.

Akira ransomware results in ANY.RUN TI Lookup TI Lookup helps users collect fresh intel on Akira Ransomware attacks

With the use of the query threatName:"akira", we can identify the latest samples of this ransomware and collect fresh intel.

TI Lookup provides a list of recent sandbox sessions featuring analysis of Akira Ransomware. You can explore each of these in more detail and export the findings in JSON.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Akira RaaS has emerged as a significant threat in the landscape because it enables even low-skilled actors to deploy highly sophisticated ransomware attacks and operates encryptors for Windows and Linux operating systems. Organizations should secure their perimeter and ensure proactive defense against this threat by employing threat intelligence tools like TI Lookup to gather the latest IOCs.

Get 50 requests in TI Lookup to collect fresh threat intelligence on Akira and other malware and phishing attacks

HAVE A LOOK AT

Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Backdoor screenshot
Backdoor
backdoor
A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More
Godfather screenshot
Godfather
godfather
The Godfather malware is an Android banking Trojan capable of bypassing MFA that targets mobile banking and cryptocurrency applications. Known for its ability to evade detection and mimic legitimate software, it poses a significant threat to individuals and organizations by stealing sensitive data and enabling financial fraud.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More