ShellCodeX
Tools โ€ข Events โ€ข News โ€ข Insights
Threat Group Profile

akira

โ— Active โ€” last 30 days
Victim claims 110
First seen Apr 2025
Last activity 10 Jul 2026
Tracked since โ€”

Group overview

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others. According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast. Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files. Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only). Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified.Source: https://github.com/crocodyli/ThreatActors-TTPs

Preferred targets

Business Services ยท 28 Manufacturing ยท 27 Healthcare ยท 9 Consumer Services ยท 7 Hospitality and Tourism ยท 7 Construction ยท 7

Most targeted countries

US ยท 54 GB ยท 5 DE ยท 5 FR ยท 2 JP ยท 2 IT ยท 2

Tactics & techniques (MITRE ATT&CK)

Initial Access

Valid Accounts Valid Accounts: Domain Accounts External Remote Services Exploit Public-Facing Application

Execution

Windows Management Instrumentation Command and Scripting Interpreter Command and Scripting Interpreter: PowerShell System Services: Service Execution Command and Scripting Interpreter: Windows Command Shell

Persistence

Create Account: Local Account Create Account: Domain Account

Privilege Escalation

Valid Accounts: Domain Accounts Privilege Escalation

Defense Evasion

Modify Registry Impair Defenses: Disable or Modify Tools

Credential Access

OS Credential Dumping: LSASS Memory

Discovery

Remote System Discovery System Information Discovery Discovery

Lateral Movement

Remote Services: Remote Desktop Protocol Lateral Tool Transfer

Victim Claims Timeline

Back to radar
INDESMALLA
๐Ÿ‡ฆ๐Ÿ‡ท AR Manufacturing indesmalla.com
Fletcher Chrysler Products
๐Ÿ‡บ๐Ÿ‡ธ US Manufacturing fletcherchrysler.com
CSA SpA
๐Ÿ‡ฎ๐Ÿ‡น IT Transportation/Logistics
La Tuilerie
๐Ÿ‡ถ๐Ÿ‡จ QC Agriculture and Food Production latuilerie.com
ServiceMaster Clean services
๐Ÿ‡บ๐Ÿ‡ธ US Consumer Services servicemasterclean.com
R L Larson Excavating
๐Ÿ‡บ๐Ÿ‡ธ US Construction rllarsoninc.com
DeMera DeMera Cameron
๐Ÿ‡บ๐Ÿ‡ธ US Financial Services ddccpa.com
MN Health Insurance Network
๐Ÿ‡บ๐Ÿ‡ธ US Healthcare mnhealthnetwork.com
Newman & Marquez
๐Ÿ‡บ๐Ÿ‡ธ US Manufacturing newmanmarquezpa.com
Research & Planning Consultants
๐Ÿ‡บ๐Ÿ‡ธ US Business Services rpcconsulting.com
Accent Dental Center
๐Ÿ‡บ๐Ÿ‡ธ US Healthcare accentdentalcenter.com
School Health
๐Ÿ‡บ๐Ÿ‡ธ US Healthcare schoolhealth.com
Aqua-Servยฉ Engineers
๐Ÿ‡บ๐Ÿ‡ธ US Business Services aqua-serv.com
Gauthier Connectique
๐Ÿ‡ซ๐Ÿ‡ท FR Manufacturing gauthierconnectique.com
AKM Consulting Engineers
๐Ÿ‡บ๐Ÿ‡ธ US Business Services akmce.com
Westamerica Communications
๐Ÿ‡บ๐Ÿ‡ธ US Telecommunication mywestamerica.com
Woodland Trade
๐Ÿ‡บ๐Ÿ‡ธ US Manufacturing woodlandtrade.com
American Vintage Home, Briggs Plumbing Products, Genco Manufacturing, American Vintage Hom...
๐Ÿ‡บ๐Ÿ‡ธ US Manufacturing
Swagelok
๐Ÿ‡บ๐Ÿ‡ธ US Manufacturing swagelok.com
Alliance Roofing
๐Ÿ‡บ๐Ÿ‡ธ US Construction allianceroofingcal.com