216.73.217.139

Akira, LimeWire, and the Sour Taste of Data Exfiltration

· Published 12/06/2026 18:57 · Modified 15/06/2026 18:46

Export JSON

Essential information

Published
12/06/2026 18:57
Modified
15/06/2026 18:46
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
active directory enumeration akira akira ransomware data exfiltration hypervisor compromise limewire virtual machine staging winrar winscp
Tags
2026-06-12 active directory enumeration akira akira ransomware data exfiltration hypervisor compromise limewire virtual machine staging winrar winscp
Related entities
1 vulnerabilities (cve), 1 indicators, 1 observables, 1 intrusion sets (apt), 18 techniques (mitre), 1 malware

Description

In a recent ransomware attack, threat actors accessed a victim's hypervisor and created a new virtual machine to stage and launch . The forensic investigation revealed the attackers disabled Microsoft Defender immediately, installed for data staging, and used Easyupload.io, a file transfer website owned by , for . The threat actor also utilized and enumerated Active Directory users and computers. The newly instantiated VM lacked security tooling, allowing the attacker to operate uninhibited. Analysis of the VHDX file provided clear evidence of the attack progression, showing the threat actor moved quickly through their operations without employing sophisticated anti-forensics techniques. The incident highlights the need for organizations to monitor environments for unusual access and new endpoint creation.

External references