216.73.217.22

Threat Brief: Understanding Akira Ransomware

· Published 04/10/2024 10:04 · Modified 04/10/2024 12:30

Export JSON

Essential information

Published
04/10/2024 10:04
Modified
04/10/2024 12:30
Tags
2024-10-04 CVE-2019-6693 CVE-2021-21972 CVE-2022-40684 CVE-2023-20269 akira chacha encryption conti credential dumping defense evasion double-extortion lateral movement raas ransomware
Related entities
4 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 15 techniques (mitre), 1 malware, 8 others

Description

is a prolific operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as as a Service () and employs double extortion tactics. has connections to the disbanded group, sharing code similarities and operator overlaps. The uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, , and employs tools for and . exfiltrates data before encryption and destroys system backups. The uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behavior and uses Windows restart manager APIs to terminate processes.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (4)

CVE-2019-6693 KEV

Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup …

Published
25/06/2025
Modified
21/12/2025
CVE-2022-40684 KEV
9.8 Critical

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …

Attack vector
Network
Published
11/10/2022
Modified
14/01/2026
CVE-2023-20269 KEV
5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector
Network
Published
13/09/2023
Modified
21/12/2025
CVE-2021-21972 KEV

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published
03/11/2021
Modified
21/12/2025

Observables (3)

  • b5e757f5e240af04057131ab6868a7716c46fa5abf697f2927199d1b84706c23
  • 988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
  • 87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d

Intrusion sets (APT) (1)

  • akira GOLD SAHARAPUNK SPIDER
    The MITRE Corporation Confidence 100

    The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

Techniques (MITRE) (15)

Malware (1)

  • Akira
    Family
    Published 12/06/2026 16:57 · Modified 12/06/2026 16:57

Others (8)

  • Australia
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Technology
  • Healthcare
  • Finance
  • Government
  • Manufacturing

External references