惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
Cloudbric
Cloudbric
C
CERT Recently Published Vulnerability Notes
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
C
Cisco Blogs
T
Tenable Blog
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
I
Intezer
AWS News Blog
AWS News Blog
IT之家
IT之家
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 【当耐特】
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
S
SegmentFault 最新的问题
博客园 - Franky
人人都是产品经理
人人都是产品经理
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
Latest news
Latest news
Scott Helme
Scott Helme
腾讯CDC
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
S
Securelist
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
Project Zero
Project Zero
Google DeepMind News
Google DeepMind News
P
Palo Alto Networks Blog
F
Fortinet All Blogs
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Security Archives - TechRepublic
Security Archives - TechRepublic
The Last Watchdog
The Last Watchdog
WordPress大学
WordPress大学
MongoDB | Blog
MongoDB | Blog
L
LINUX DO - 最新话题
S
Schneier on Security
NISL@THU
NISL@THU
Jina AI
Jina AI
M
MIT News - Artificial intelligence

Todyl Blog

CyberChef: How to Decode & Decrypt Malicious Scripts (Step-by-Step Guide) Achieving Zero Trust with SASE: A Practical Roadmap for Modern Network Securityso like MSP Security Maturity Assessment: Why 79% of MSPs Are Stuck in 2025 The Rising Threat of Malicious AI: What Every Organization Needs to Know Iran Cyber Threat 2026: What SMBs and MSPs Need to Know The OneStart AI Browser Deception Cyber Insurance Requirements Based on Industry Why Third-Party Security Certification Is Your MSP's Competitive Edge Why Cyber Insurance Carriers Are Shifting to Security Assurance Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍ Why Cyber Resilience Requires Security, Compliance, and Insurance MSP Security Services: How to Position Identity Protection as Competitive Advantage Identity Security Gap Assessment: A Step-by-Step Guide for MSPs How Credential Theft Attacks Are Costing MSP Clients Millions Do I Need Cyber Insurance as a Small Business? Advanced Persistent Threats (APTs) Explained Preparing for CMMC Level 1: What Your Organization Needs to Do The Real Cost of Doing Nothing in Cybersecurity MSP Security: Build vs Buy SOC The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Cyber Threat Recovery Strategies for MSPs What MSPs Need to Know about CIRCIA Final Rule ClickFix: The Evolution of Copy-Paste Social Engineering The Dos and Don’ts of Applying for a Cyber Insurance Policy What Is Threat Hunting? A Practical Guide for MSPs and SMBs The Business Case for Cyber Threat Management Evaluating Free and Open Source SIEM Tools in 2026 How organizations can combat BEC Using SASE to help meet cyber insurance requirements Introducing the Anomaly Framework Stopping Identity Threats with ITDR through MXDR Security Operations Over Tools Beyond Tools: A Strategic Approach to Data Security Cyber Threat Response Strategies for MSPs Threat Advisory: Email Account Compromise BECs In the Wild: When Millions of People Are Expecting the Same Email Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know Cyber Threat Detection Strategies for MSPs Cyber Threat Prevention Strategies for MSPs Simplifying CMMC Level 1 with Todyl GRC How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough Cyber Threats Don't Take Time Off How MSPs Build Lasting Client Relationships Through Proactive Operations Risk Management for MSPs: Why Business Context Changes Everything 5 Pillars for Security Program Growth in 2025 One Action MSPs can take to Address Risk and Secure Clients Building Resilience in a Perimeter-less World with Defense-in-Depth Aligning Technology Implementation to Business Outcomes Top 5 Myths about Cybersecurity How Conditional Access Transforms Your Cybersecurity Program Why MSPs need to embrace a prescriptive model How Texas SB 2610 Positions MSPs as Strategic Risk Advisors Simplifying cybersecurity maturity with managed cloud SIEM Addressing firewall vulnerabilities Understanding the Pitfalls of RDP MSP Zero-Day Response Plan: When Security Tools Can't Help You Old is Gold: Tackling Persistent Vulnerabilities How MXDR drives operational efficiencies Using SASE for secure remote access How to find the best endpoint security solution The Cyber Insurance Crisis: Why MSPs and Their Clients Are Struggling What to ask of a prospective endpoint security vendor Thinking Red, Acting Blue: Turning Attack Tactics in Your Favor Zero-Day Attacks and False Alarms: Lessons for MSPs Dissecting the Recent Rise in 2025 Zero Days MSP Security Monitoring Strategy: Identity and Cloud Blind Spots Introducing the Todyl Community: A Collaborative Platform for MSPs Threat Advisory: PDFast Freeware Compromise Navigating Today’s Cybersecurity Threat Landscape: Where MSPs Should Start Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients Partner Spotlight: GoTech IT Solutions Threat Advisory: SQL Injection in FortiClient CVE-2023-48788 The Importance of SSL Inspection Navigating Compliance Frameworks: Common Challenges and Effective Solutions Making the most of SASE Web Filtering Iran & Middle-East Geopolitical Shifts: Emerging Cyber Risks for SMBs MSP Security KPIs That Matter: Beyond Vanity Metrics to Business Outcomes MSP Challenges Looking into 2025 Combining EDR and NGAV for Defense-in-Depth Starting Your Security Framework Journey: A Practical Implementation Guide Cyber Insurance vs. Warranties: Key Risk Management Elements Akira Ransomware: A Persistent Threat to MSP Operations Transforming Cyber Insurance for MSPs and Their Clients Two Truths, Double Whammy: Why Vulnerability Remediation Needs a Rethink Using LAN ZeroTrust for segmentation The role of SIEM in incident response Partner Spotlight: 917 Solutions Threat Advisory: Business Email Compromise Campaign using OVPN for Obfuscation Beyond Implementation: Creating an Ongoing Security Framework Program ClickFix: Fake Captcha Leads to Real Damage Streamlining Security and Compliance Information Gathering with Assessments EpiBrowser: A Sophisticated PUP Masquerading as Chromium Partner Spotlight: AnchorSix Tips to Help MSPs Set Goals for the New Year How SIEM helps detect insider threats Massive Wave of Network Security Vulnerabilities Demands Immediate Action FortiJump: The FortiManager Zero-Day Vulnerability Explained Use cases of SASE: Software-defined perimeter Threat Advisory: LightPerlGirl Malware Why MSPs Must Prioritize CIS Critical Security Controls v8.1 for Client Success
Akira Ransomware: Threat Assessment of a Scalable RaaS Operation
Sean Savold · 2026-02-05 · via Todyl Blog

Executive Assessment

Akira is a globally active Ransomware-as-a-Service (RaaS) operation that has demonstrated sustained activity since early 2023. Rather than exhibiting victim specific tradecraft, Akira campaigns reflect a repeatable and modular intrusion model designed to scale across regions, industries, and organizational sizes.

Observed activity through 2024–2025 indicates a clear evolution toward edge driven access, credential centric lateral movement, and virtualization level impact, positioning Akira as a persistent threat to organizations with exposed remote access infrastructure and centralized compute environments.

Operational Model: RaaS Structure and Scale

an infographic describing the anatomy of Akira's RaaS operation

Akira operates under a distributed affiliate model, separating development and infrastructure from intrusion execution:

  • Operators maintain ransomware payloads, leak sites, payment infrastructure, and negotiation services
  • Affiliates independently select targets, gain access, move laterally, and deploy encryption

This structure enables parallel campaigns across multiple geographies and sectors while reducing operational risk to core developers. Disruption of individual affiliates has limited impact on overall campaign velocity.

The operation consistently employs double extortion, with data exfiltration occurring prior to encryption to maintain leverage regardless of backup maturity.

Initial Access Trends: Edge Infrastructure as Primary Vector

Threat intelligence reporting and incident response observations indicate Akira affiliates strongly favor internet facing remote access infrastructure, particularly VPN appliances, as initial access vectors.

Recurring access patterns include:

  • Exploitation of SonicWall SSL VPN vulnerabilities, including CVE-2024-40766
  • Targeting of Cisco VPN infrastructure, such as CVE-2023-20269
  • Abuse of compromised, reused, or legacy credentials
  • Use of credentials obtained via initial access brokers

Affiliates demonstrate rapid weaponization of newly disclosed vulnerabilities, often exploiting them within short timeframes following public disclosure, suggesting active vulnerability monitoring rather than opportunistic scanning alone.

Post Access Behavior: Rapid Internal Expansion

Following initial access, Akira intrusions tend to prioritize speed and coverage over long term stealth. Across multiple investigations, the time between access and domain level control frequently ranges from hours to several days.

Observed behaviors include:

  • Active Directory enumeration using built-in tooling and frameworks such as Impacket
  • Credential access via Kerberos abuse rather than LSASS dumping
  • Lateral movement using RDP, SMB, WinRM, SSH, and commercial remote access tools

The reliance on valid credentials and native protocols significantly reduces malware artifacts during early stages, complicating detection through signature based controls.

Virtualization and Infrastructure Targeting

A defining evolution in Akira’s tradecraft is its increasing focus on virtualized environments. While early campaigns primarily impacted Windows systems, later activity expanded to:

  • Linux based environments, including VMware ESXi
  • Hyper-V infrastructures
  • Nutanix AHV virtual machine disk files (observed in 2025 activity)

By encrypting VM disk files or targeting hypervisors directly, affiliates can disable large numbers of systems simultaneously, increasing operational disruption and recovery complexity. This shift aligns with a broader ransomware trend toward infrastructure level impact rather than host by host encryption.

Data Exfiltration and Extortion Mechanics

Prior to encryption, Akira affiliates routinely stage and exfiltrate data using legitimate tools, including:

  • Rclone
  • WinSCP
  • File transfer clients such as FileZilla

Exfiltrated data volumes vary but commonly range from hundreds of gigabytes to multi-terabyte datasets, depending on dwell time and access scope. Centralized leak infrastructure allows operators to standardize extortion messaging across victims.

Tooling and Payload Evolution

Akira ransomware payloads have undergone incremental technical refinement:

  • Transition from C++ to Rust based encryptors
  • Configurable encryption options, including partial file encryption to increase speed
  • Pre-encryption process termination to release file locks
  • Active removal of backup artifacts, including Volume Shadow Copies and third-party backup software

These changes suggest optimization of a mature codebase rather than experimental development.

Threat Outlook

Akira should be assessed as a persistent, medium to high sophistication threat with strong operational consistency. Its effectiveness is driven less by novel malware and more by systemic weaknesses: exposed edge services, credential sprawl, and insufficient monitoring of internal authentication and virtualization layers.

The operation’s reliance on affiliates and valid credentials indicates continued adaptability as long as these conditions persist.

Mitigations and Detection Considerations

Edge and Identity Hardening

  • Prioritize patching of VPN and remote access appliances, especially SonicWall and Cisco devices
  • Enforce phishing resistant MFA on all external access and administrative accounts
  • Audit and remove legacy or dormant credentials, particularly post upgrade VPN accounts

Credential and Lateral Movement Detection

  • Monitor for anomalous Kerberos activity (e.g., unusual ticket issuance, service account misuse)
  • Alert on unexpected use of Impacket related techniques and tooling patterns
  • Baseline RDP, SMB, WinRM, and SSH usage to identify deviations in volume or source

Virtualization Security

  • Segment hypervisor management interfaces from general user networks
  • Monitor access to VM disk files and unexpected VM power-state changes
  • Apply security updates to hypervisors and virtualization management platforms promptly

Data Exfiltration Controls

  • Monitor outbound data transfers for large or sustained uploads using common exfiltration tools
  • Restrict use of file transfer utilities on servers where not operationally required

Backup and Recovery Resilience

  • Maintain offline or immutable backups isolated from domain credentials
  • Regularly test recovery from hypervisor level backups, not just endpoint restores

Closing Assessment

Akira is not defined by a single exploit or campaign, but by a repeatable operational pattern that scales across environments. Its continued success highlights the gap between security control deployment and effective visibility into identity, edge, and infrastructure layers.

From a threat intelligence perspective, Akira should be monitored less as a discrete malware family and more as an ecosystem of access methods, affiliates, and infrastructure aware attack paths that are likely to persist and evolve.

About Sean

Sean Savold is a Threat Researcher at Todyl with 6+ years of experience in threat detection, response, and security operations, focused on threat intelligence platform development, adversary research, and detection optimization to improve partner security outcomes. When he's not chasing adversaries, Sean enjoys gaming, overlanding, or spending time with his dog and cat.