virus logo Outbreak Alert

Akira Ransomware

Released: Apr 22, 2024

Updated: Nov 13, 2025

Download PDF »

Akira Ransomware Ransomware Tags

High Severity

Microsoft, Cisco, VMware Vendor

Subscribe

250+ Organizations Impacted, $42 Million Ransomware Toll

FortiGuard Labs continue to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA it has targeted over 250 organizations since the past year, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments. Learn More »

Common Vulnerabilities and Exposures









Background

First detected in March/April of 2023, this ransomware group primarily focuses on small to medium-sized businesses, driven by financial motives. Like other notorious ransomware, Akira utilizes familiar tactics such as Ransomware-as-a-Service and double extortion to maximize their profits.

The ransomware uses virtual private network (VPN) service without multifactor authentication (MFA)- mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, external-facing services such as Remote Desktop Protocol, spear phishing, and the abuse of valid credentials.

These credentials are typically acquired through brute force attacks or obtained from the dark web. Once inside, threat actors deploy various tools and malware to conduct reconnaissance, dump credentials, exfiltrate data, and move laterally within the network.

Initial iterations of the Akira ransomware variant were coded in C++ and encrypted files with a .akira extension. However, from August 2023 onwards, certain Akira attacks transitioned to utilizing Megazord, featuring Rust-based code that encrypts files with a .powerranges extension. Akira threat actors persist in employing both Megazord and Akira, including the newer version, Akira_v2.

Click here to analyze the

Real-Time Threat Map

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Fortinet has existing AV signatures and behaviour-based detections to detect and block Akira Ransomware, however it is always recommended to follow best practices and apply relavant patches to mitigate threat and reduce the likelihood/impact of ransomware incidents. https://www.fortinet.com/resources/cyberglossary/how-to-prevent-ransomware

  • November 13, 2025: CISA and Partners Release Advisory Update on Akira Ransomware

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

  • April 19, 2024: FortiGuard Labs released a Threat Signal

    https://www.fortiguard.com/threat-signal-report/5426

  • April 18, 2024: The United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint cyber security advisory (CSA):https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

  • February 15, 2024: CISA added (CVE-2020-3259) Cisco ASA and FTD Information Disclosure Vulnerability to known exploited vulnerabilties catalog.

  • October 12, 2023: Fortinet released a detailed blog on Akira Ransomware

    https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira

  • September 13, 2023: CISA added (CVE-2023-20269): Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability to its known exploited vulnerabilties catalog.

Attack Sequence

Actions taken by cyber attacker or a malicious entity to compromise a target system or network.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • AV (Pre-filter)

  • Behavior Detection

  • IPS

  • Pre-execution

  • Post-execution

DETECT

  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Content Update

  • Playbook

RESPOND

  • Automated Response

  • Assisted Response Services

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

  • Business Reputation

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.