SafeBreach Coverage for Updated CISA Alert AA24-109A: Akira Ransomware

This alert provided an update to the initial alert from April 2024 and included new information regarding recent Akira ransomware activities and updated indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that present an imminent threat to critical infrastructure providers. The updated information was obtained through FBI investigations and trusted third-party reporting as recently as November 2025. 

The SafeBreach Labs team responded quickly, evaluating existing coverage and providing new coverage to help organizations quickly validate their exposure and proactively assess their security posture in light of this significant threat. 

In the blog below, we will share an overview of the threat, highlight key TTPs, and identify new and existing attack content relevant to Akira ransomware that is now available within the SafeBreach exposure validation platform.

Understanding the Akira Ransomware Threat

Akira ransomware has been targeting a wide range of businesses and critical infrastructure entities since March 2023 across North America, Europe, and Australia. Akira threat actors are associated with a number of groups, including Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara, and the defunct Conti ransomware group. They have primarily targeted small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.

Initially, threat actors leveraging Akira ransomware targeted Windows-only systems. However, in April 2023, they began targeting VMware ESXi virtual machines through a new Linux variant. In a June 2025 incident, Akira threat actors encrypted Nutanix AHV VM disk files for the first time, expanding their capabilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766 and CWE-284: Improper Access Control, a SonicWall vulnerability. As of late September 2025, it’s believed that Akira ransomware has claimed approximately $244.17 million (USD) in ransomware proceeds.

The early versions of the ransomware variant were written in C++ and encrypted files with a .akiraextension. However, beginning in August 2023, some Akira ransomware attacks began deploying Megazord, leveraging Rust-based code that encrypts files with a .powerranges extension. Akira threat actors have also used Megazord and Akira variants (including Akira v2) interchangeably to target victims.

Key TTPs

Initial Access 

Threat actors gain access to victims through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known vulnerabilities CVE-2020-3259, CVE-2023-20269, CVE-2020-3580, CVE-2023-28252, and CVE-2024-37085. Additionally, Akira threat actors were observed using these CVE exploits CVE-2023-27532, CVE-2024-40711, and CVE-2024-40766 for initial access. 

They have also been observed gaining access using external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and abusing valid credentials. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766. In some instances, they gain initial access through compromised VPN credentials, potentially by using initial access brokers or brute-forcing VPN endpoints. Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials.

In other incidents, indicators suggest that Akira threat actors gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers (CVE-2023-27532 and CVE-2024-40711).

Execution 

Akira threat actors frequently execute malicious commands by using Visual Basic (VB) scripts (event-driven programming languages that allow documents to contain macros to improve functionality through autonomous task execution).

Persistence and Discovery

Once they gain access to victim networks, the threat actors attempt to abuse domain controller functions by creating new domain accounts, including creating an admin account named itadm. By leveraging Kerberoasting, threat actors have been observed extracting stored credentials from the process memory of the Local Security Authority Subsystem Service (LSASS). Additionally, these threat actors have been known to use credential scraping tools like Mimikatz and LaZagne to further privilege escalation. Tools like SoftPerfect and Advanced IP Scanner were also used for network device discovery (reconnaissance) purposes and net Windows commands were leveraged to identify domain controllers and gather information on domain trust relationships. In the updated alert, Akira threat actors were observed using nltest /dclist: and nltest /DOMAIN_TRUSTS for network and domain discovery.

Defense Evasion 

Threat actors were observed deploying two distinct ransomware variants against different system architectures within the same compromise event. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”). To ensure unimpeded lateral movement within the victim network, threat actors disable security software to avoid detection, including the use of PowerTool to exploit the Zemana AntiMalware driver and terminate any antivirus-related processes.

The updated alert noted that Akira threat actors were observed abusing remote access tools such as AnyDesk and LogMeIn to maintain persistence and blend in with administrator activity. Akira threat actors leverage Impacket (an open source tool designed for network protocol manipulation) to execute the remote command wmiexec.py. To evade detection, Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems.

Privilege Escalation

In the updated alert, Akira threat actors were observed creating new user accounts and adding them to the administrator group to establish a foothold in the environment. In a reported incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by temporarily powering down the domain controller’s VM, copying the VMDK files, and attaching them to a newly created VM. This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account. Akira threat actors have also been observed leveraging services like Veeam.Backup.MountService.exe for privilege escalation (CVE-2024-40711).

Lateral Movement 

To pivot laterally, Akira threat actors use legitimate remote access tools like AnyDesk or LogMeIn. They also employ RDP, SSH, and MobaXterm to expand their presence within the compromised network.

Command & Control 

Trusted third-party investigations revealed that Akira threat actors deployed two distinct ransomware variants against different system architectures during one attempted compromise. Analysts first identified Akira threat actors deploying the Windows-specific “Megazord” ransomware, and further investigation revealed the threat actors concurrently deployed a second payload during the attack, later identified as a novel variant of the Akira ESXi encryptor, Akira_v2. 

Based on observations in the updated alert, it has been determined that Megazord has likely fallen out of use since 2024. Akira threat actors have also now been observed establishing command and control (C2) communications by using tunneling utilities, such as Ngrok, to initiate encrypted sessions that bypass perimeter monitoring. They also use PowerShell and Windows Management Instrumentation Command-line (WMIC) to disable services and execute malicious scripts.

Exfiltration & Impact 

Threat actors leverage tools like FileZilla, WinRAR, WinSCP, and RClone to exfiltrate data. In some incidents, Akira threat actors exfiltrated data in just over two hours from initial access. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega to connect to exfiltration servers. 

Threat actors use double extortion to encrypt victim systems after exfiltrating stolen data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. With the new Akira_v2 variant, encrypted files are appended either with an .akira or .powerrangesextension, or with .akiranew or .aki.

To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems. Additionally, a ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users).

SafeBreach Coverage and Playbook Updates

As soon as details were made available, the SafeBreach Labs teams added new attacks based on the updated alert and mapped existing attacks in the Hacker’s Playbook to the alert. It is important to note that existing SafeBreach customers already have an extensive level of coverage against the Akira ransomware variant identified in this alert. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.

Existing IOC-Based Playbook Attacks

• #9003 – Write Akira (8ab296) ransomware to disk
• #9004 – Pre-execution phase of Akira (8ab296) ransomware (Linux)
• #9005 – Transfer of Akira (8ab296) ransomware over HTTP/S
• #9006 – Transfer of Akira (8ab296) ransomware over HTTP/S
• #9007 – Email Akira (8ab296) ransomware as a compressed attachment
• #9008 – Email Akira (8ab296) ransomware as a compressed attachment
• #9036 – Write Akira (e612b4) ransomware to disk
• #9037 – Pre-execution phase of Akira (e612b4) ransomware (Windows)
• #9038 – Transfer of Akira (e612b4) ransomware over HTTP/S
• #9039 – Transfer of Akira (e612b4) ransomware over HTTP/S
• #9040 – Email Akira (e612b4) ransomware as a compressed attachment
• #9041 – Email Akira (e612b4) ransomware as a compressed attachment
• Akira (Megazord)
  • #9993 – Write Akira (Megazord) (c53198) ransomware to disk
  • #9994 – Pre-execution phase of Akira (Megazord) (c53198) ransomware (Windows)
  • #9995 – Transfer of Akira (Megazord) (c53198) ransomware over HTTP/S
  • #9996 – Transfer of Akira (Megazord) (c53198) ransomware over HTTP/S
  • #9997 – Email Akira (Megazord) (c53198) ransomware as a compressed attachment
  • #9998 – Email Akira (Megazord) (c53198) ransomware as a compressed attachment
• Akira_v2
  • #9999 – Write Akira_v2 (be3f75) ransomware to disk
  • #10000 – Pre-execution phase of Akira_v2 (be3f75) ransomware (Linux)
  • #10001 – Transfer of Akira_v2 (be3f75) ransomware over HTTP/S
  • #10002 – Transfer of Akira_v2 (be3f75) ransomware over HTTP/S
  • #10003 – Email Akira_v2 (be3f75) ransomware as a compressed attachment
  • #10004 – Email Akira_v2 (be3f75) ransomware as a compressed attachment
• Veeam-Get-Creds
  • #10005 – Write Veeam-Get-Creds (afdb88) hacktool to disk
  • #10006 – Transfer of Veeam-Get-Creds (afdb88) hacktool over HTTP/S
  • #10007 – Transfer of Veeam-Get-Creds (afdb88) hacktool over HTTP/S
  • #10008 – Email Veeam-Get-Creds (afdb88) hacktool as a compressed attachment
  • #10009 – Email Veeam-Get-Creds (afdb88) hacktool as a compressed attachment

NEW IOC-Based Playbook Attacks 

• #11506 – Write akira_s64_dll (2ca5b7) backdoor to disk
• #11507 – Transfer of akira_s64_dll (2ca5b7) backdoor over HTTP/S
• #11508 – Transfer of akira_s64_dll (2ca5b7) backdoor over HTTP/S”,
• #11509 – Email akira_s64_dll (2ca5b7) backdoor as a compressed attachment
• #11510 – Email akira_s64_dll (2ca5b7) backdoor as a compressed attachment
• #11500 – Write akira_Ladon_exe (cb8a4d) ransomware to disk
• #11501 – Pre-execution phase of akira_Ladon_exe (cb8a4d) ransomware (Windows)
• #11502 – Transfer of akira_Ladon_exe (cb8a4d) ransomware over HTTP/S
• #11503 – Transfer of akira_Ladon_exe (cb8a4d) ransomware over HTTP/S
• #11504 – Email akira_Ladon_exe (cb8a4d) ransomware as a compressed attachment            
• #11505 – Email akira_Ladon_exe (cb8a4d) ransomware as a compressed attachment

Existing Behavioral Attacks

• #173 – Brute force attack over SSH protocol
• #794 – Extract Login Information using MimiKatz (host level)
• #811 – Discover Linux network configuration using Bash (host level)
• #1011 – Discover Linux system information using Bash commands (host level)
• #1220 – Inject Mimikatz using PowerShell to Extract Credentials (lateral movement)
• #1220 – Inject Mimikatz using PowerShell to Extract Credentials (lateral movement)
• #1339 – PSExec remote command execution traffic simulation
• #1693 – Collect Windows system data using CMD (host level)
• #1693 – Collect Windows system data using CMD (host level)
• #1695 – Discover Linux processes using Bash scripts (host level)
• #2055 – Extract users and groups using net.exe (Windows)
• #2170 – Create Account (Windows) (host level)
• #2174 – Extract users and groups using net.exe (Windows) (host level)
• #2175 – Discover Linux user configurations using Bash (Linux) (host level)
• #2188 – Extract Process List using Windows Commands (host level)
• #2189 – Account Manipulation
• #2195 – Change File Permissions on Windows
• #2222 – Discover Remote Systems using PowerShell (host level)
• #2248 – Masquerading
• #2273 – Pass the Hash over SMB using Mimikatz (lateral movement)
• #2273 – Pass the Hash over SMB using Mimikatz (lateral movement)
• #2306 – Domain Trust Discovery (host level)
• #3819 – Windows Credentials Collection using LaZagne (host level)
• #3827 – Linux Credentials Collection using LaZagne (host level)
• #3829 – Run obfuscated Mimikatz on host (host level)
• #5672 – Agentless lateral movement via WMI (host level)
• #5673 – Agentless lateral movement via Remote PowerShell (WMI) (host level)
• #5674 – Agentless lateral movement via Remote PowerShell (WinRM)
• #5833 – Extract Login Information using MimiKatz DCSync (host level)
• #6108 – RDP Connection Between 2 Simulators
• #6127 – Extract LSASS memory dump using Rundll32 (host level)
• #6372 – Modify Volume Shadow Copy (VSS) (host level)
• #6473 – Agentless lateral movement via RDP (host level)
• #6513 – Agentless lateral movement via SMB and RCE, using Mimikatz (host level)
• #6580 – Discover domain groups using LDAP method (host level)
• #6581 – Discover domain computers using LDAP method (host level)
• #6801 – Credential harvesting using Mimikatz DCSync with interactive session token (host level)
• #6802 – Credential harvesting using Mimikatz DCSync with user credentials (host level)
• #6918 – Execute remote VBScript using XSL with wmic.exe
• #7170 – Add a local administrator (Windows)
• #7168 – Enable a default account and add it to a Localgroup (Windows) (host level)
• #7169 – Dump the SAM database from the registry (Windows)
• #8021 – SSH scanning
• #8045 – Masquerading right to left override
• #8370 – In memory credential extraction via MiniDumpWriteDump (host level)
• #8371 – In memory credential extraction via MiniDumpWriteDump and handle hijacking (host level)
• #8372 – Credential extraction via Pypykatz (host level)
• # 8853 – Disable rules in Windows Defender to allow credential harvesting using Lazagne
• #9456 – Extract SAM credentials from registry
• #9576 – Cortex Ransomware Protection Bypass
• #9577 – Cortex Lsass Dump Protection Bypass
• #10337 – Extract Security information using PowerShell
• #10338 – Extract Windows information using PowerShell
• #10434 – ESXi Domain Privilege Escalation (CVE-2024-37085)
• #10618 – Collect credentials from chromium password manager
• #10619 – Collect credentials from chromium password manager with EDR bypass
• #10801 – Write Obfuscated Mimikatz with Junk Code Insertion Hacktool to disk
• #10802 – Pre-execution of Obfuscated Mimikatz with Junk Code Insertion Hacktool
• #11380 – C2 communication over an encrypted channel

What You Should Do Now

SafeBreach customers can validate their defenses against this threat using three methods:

Method 1

From the SafeBreach homepage, select Explore Scenarios in the CISA Alert AA24-109A New Coverage pop-up.

Method 2 

Navigate to the “SafeBreach Scenarios” page and select the CISA Alert AA24-109A scenario.

Method 3

From the Known Threats Series report, select CISA Alert AA24-109A and select Run Simulations, which will run all attack methods.

Stay Ahead with SafeBreach

SafeBreach enables organizations to validate security controls, as suggested by CISA, by simulating the critical tactics outlined in CISA Alert AA24-109A (Akira Ransomware). By validating both behavioral coverage and IOC-triggered simulations, defenders can assess detection, close gaps, and prioritize remediation.

With SafeBreach Propagate, customers can further evaluate how attackers could pivot through their environments—mapping attack paths, visualizing lateral movement, and addressing exposures to critical assets.

Run the latest SafeBreach simulations today to ensure your defenses stand ready against this latest threat.