Akira Ransomware: What You Need to Know

Akira ransomware is a new and sophisticated threat that has been targeting organizations in recent months. The ransomware encrypts files on the victim's system and then demands a ransom payment in order to decrypt them
Updated on
July 24, 2023
Published on
Subscribe to the latest industry news, threats and resources.

Category:  Malware Intelligence

Type/Family:  Ransomware

Region: World Wide

Executive Summary

CloudSEK's Threat Research team investigated Akira Ransomware and Quick Highlights are as follows:

  • First infection reported in 2017 by Karsten Hahn at Twitter.
  • Targets both Windows-based and Linux-based systems.
  • Utilizes Symmetric Encryption with CryptGenRandom() and Chacha 2008 for file encryption.
  • Shares similarities with leaked Conti v2 ransomware according to Avast's research.
  • Avast released a decryptor for Akira Ransomware targeting 64-bit and 32-bit Windows-based systems.
  • Leaked data offered via Torrents and Direct download links on the same Tor-based website.

TOR Website


Image screenshot of TOR-based website.

Victims Listed on website

  • Hospitality Staffing Solutions - United States
  • The City of Nassau Bay - Bahamas
  • Computer Information Concepts Inc - United States
  • Fersten Worldwide - Canada
  • Malt Products - United States
  • Schottenstein Property Group - United States
  • Gregory Poole - United States
  • Family Day Care Services - Australia
  • Columbia Distributing - United States
  • Ipleiria Student Branch - Portugal
  • New World Travel, Inc - United States
  • The Mitchell Partnership - Canada
  • Mercer University - United States
  • 4LEAF, Inc. - United States
  • The McGregor - United States
  • BridgeValley Community & Technical College - United States
  • Thompson Builders - United States
  • Alliance Sports Group - United States
  • Pak-Rite, Ltd - United States

Analysis and Attribution


  • Akira is a malicious ransomware strain designed to encrypt data on infected systems, appending the ".akira" extension to affected file names, and presenting victims with a ransom note named "akira_readme.txt." The ransomware operates by deleting Windows Shadow Volume Copies, making data recovery more challenging.

Propagation, Exploitation and Delivery:

  • Akira is commonly distributed through various means, including infected email attachments containing macros, malicious ads, torrent websites, and pirated software.
  • Additionally, based on the affiliates there exploitation of commonly unpatched vulnerabilities on VPN endpoints and leading to lateral movements were discovered that includes active exploitation of Vmware ESXI remote code execution

Ransom Note Overview:

  • Upon infection, Akira presents a ransom note to the victim, claiming that the company's internal infrastructure is either partially or completely non-functional, with all backups removed. It also states that the attackers have accessed a significant amount of corporate data before encryption. The note includes reasonable ransom demands and offers a negotiation process to prevent severe financial consequences for the targeted organization.

Instructions for Negotiation:

  • The ransom note provides guidance on contacting the cybercriminals via a Tor browser to access their chat room. A unique code is given for logging in, and the attackers emphasize that a swift response from the victim will minimize the potential damage.The payments are usually accepted through cryptocurrency.

Ransomware Behavior:

  • Like other ransomware variants, Akira can spread within a corporate network once it gains entry. It targets multiple devices and encrypts files to extract ransom payments. However, before initiating encryption, Akira deliberately avoids specific folders such as Recycle Bin, System Volume Information, Boot, ProgramData, and Windows, along with Windows system files bearing .exe, .lnk, .dll, .msi, and .sys extensions.

Data Exfiltration:

  • A significant characteristic of Akira ransomware is the pre-encryption theft of sensitive corporate data. The attackers leverage this stolen information to extort victims, threatening to expose it publicly if the ransom is not paid promptly.


  • Actively patch popular vulnerabilities released as Ransomware affiliates tend to mass exploit for convenience and easy exploitation to gain initial foothold inside the network.
  •  Block for commonly used extensions for delivering malware such as exe, pif, tmp, url, vb, vbe, scr, reg, cer, pst, cmd, com, bat, dll, dat, hlp, hta, js, wsf.
  • Update the SIEM and SOAR with the below shared Threat Hunting rule for Akira Ransomware.
  • Actively triage alerts for presence and usage of tools such as AnyDesk, WinRAR, and PCHunter which is commonly used during the process of archiving the data for exfiltration and remote backdoor connection.

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs)












MITRE ATT&CK Execution and Tactics



Techniques used (ID)


a. Windows Management Instrumentation

b. Shared Modules





a. Browser Extensions

b. Registry Run Keys / Startup Folder




Privilege Escalation

a. Registry Run Keys / Startup Folder



Defense Evasion

a. Obfuscated Files or Information

b. Indicator Removal from Tools

c. Virtualization/Sandbox Evasion





Credential Access

a. OS Credential Dumping




a. Application Window 

b. Process Discovery

c. System Information Discovery

d. File and Directory Discovery

f. Virtualization/Sandbox Evasion

g. System Location Discovery










a. Data from Local System

b. Browser Session Hijacking





Command and Control

a. Proxy

b. Ingress Tool Transfer





a. Data Encrypted for Impact





Yara Rule for detection - (Link)

rule win_akira_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.akira."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 4d3bca 7223 49893b 41c7430802000000 41c6431001 e9???????? b8ffffffff }
            // n = 7, score = 100
            //   4d3bca               | mov                 dword ptr [esp + 0x20], ebp
            //   7223                 | inc                 ecx
            //   49893b               | sub                 dh, bh
            //   41c7430802000000     | imul                ebp, edi
            //   41c6431001           | inc                 eax
            //   e9????????           |                     
            //   b8ffffffff           | movsx               eax, dh

        $sequence_1 = { e8???????? 4c8bc0 488bd3 488d4c2440 e8???????? 488d154de80600 488d4c2440 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8bc0               | dec                 eax
            //   488bd3               | sub                 esp, ecx
            //   488d4c2440           | dec                 eax
            //   e8????????           |                     
            //   488d154de80600       | lea                 ebx, [esp + 0x50]
            //   488d4c2440           | dec                 eax

        $sequence_2 = { 488d8597010000 4c8bc7 0f1f840000000000 49ffc0 6642833c4000 75f5 488d9597010000 }
            // n = 7, score = 100
            //   488d8597010000       | dec                 eax
            //   4c8bc7               | mov                 eax, dword ptr [ebp - 8]
            //   0f1f840000000000     | dec                 eax
            //   49ffc0               | mov                 ebx, dword ptr [eax + 0x88]
            //   6642833c4000         | dec                 eax
            //   75f5                 | mov                 eax, dword ptr [ebp - 0x20]
            //   488d9597010000       | dec                 eax

        $sequence_3 = { 742c 4c8bc6 488d15fbf80400 488bcf e8???????? 488d55c0 48837dd810 }
            // n = 7, score = 100
            //   742c                 | dec                 eax
            //   4c8bc6               | mov                 edi, eax
            //   488d15fbf80400       | jmp                 0x3c2
            //   488bcf               | dec                 ecx
            //   e8????????           |                     
            //   488d55c0             | mov                 edi, ebp
            //   48837dd810           | dec                 eax

        $sequence_4 = { 488bd9 488bc2 488d0d45550400 0f57c0 488d5308 48890b 488d4808 }
            // n = 7, score = 100
            //   488bd9               | mov                 edi, dword ptr [edi + 8]
            //   488bc2               | dec                 eax
            //   488d0d45550400       | test                edi, edi
            //   0f57c0               | jne                 0x4f
            //   488d5308             | dec                 eax
            //   48890b               | mov                 edi, dword ptr [ebp - 0x79]
            //   488d4808             | dec                 eax

        $sequence_5 = { 488d542420 e8???????? 8bf8 85c0 750d f744243010000000 0f95c3 }
            // n = 7, score = 100
            //   488d542420           | test                edi, edi
            //   e8????????           |                     
            //   8bf8                 | jne                 0x649
            //   85c0                 | mov                 edx, dword ptr [esp + 0x3b8]
            //   750d                 | cmp                 edx, 0x3b9aca00
            //   f744243010000000     | dec                 eax
            //   0f95c3               | lea                 eax, [esp + 0x50]

        $sequence_6 = { 488b842430010000 668910 4c892b e8???????? eb7a 0f1f00 488d4b28 }
            // n = 7, score = 100
            //   488b842430010000     | add                 edx, ecx
            //   668910               | dec                 eax
            //   4c892b               | sar                 edx, 6
            //   e8????????           |                     
            //   eb7a                 | dec                 eax
            //   0f1f00               | mov                 eax, edx

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations