Akira launched in March 2023 as a classic encrypt-and-extort ransomware operation. Three years later they remain one of the most active operators by claim count, but their playbook has quietly shifted. A growing share of recent Akira incidents involve no encryption at all, just exfiltration and a leak-site listing. Here’s the 2026 profile.
Origins and connections
Akira’s tooling, infrastructure patterns, and affiliate behaviour have repeatedly been linked back to Conti-era operators. The Rust-based Akira encryptor that arrived in mid-2023 shares structural similarities with the post-Conti splinter codebases. The leak-site aesthetic, green-text, terminal-styled, retro-1980s, is distinctive but the operator behaviour is recognisably Conti-lineage.
The current TTP set
Initial access through Cisco ASA and Cisco AnyConnect VPN flaws was the dominant pattern through 2024 and into 2025. As those exposed environments dried up, Akira affiliates moved toward stolen credentials from stealer logs and toward Citrix NetScaler exploits, which fit the same “internet-facing edge appliance” profile.
Lateral movement is unflashy: stolen credentials, Active Directory abuse, RDP, occasional PsExec. Privilege escalation through credential dumping. Data exfiltration to Mega.nz or Rclone-driven uploads to attacker-controlled S3-compatible buckets.
Why the encryption pivot
Across 2025-2026 we’ve seen a steady drift in Akira incidents. The encryptor still gets deployed in many cases, but a meaningful share of the listings on Akira’s leak site now correspond to victims that were never encrypted. The operator stole the data, made the demand, and never bothered with the loud encryption phase.
The reason is operational risk. The encryption phase is the loudest part of any intrusion. EDR tools flag it, IR teams catch it mid-deployment occasionally, and the encryptor binary itself becomes evidence. Skipping that phase entirely lets the operator extract value from the breach with significantly less detection risk.
Victim profile
Akira hits mid-market enterprise harder than the truly small or truly large. Manufacturing is over-represented. Education is steady. Professional services and law firms appear regularly. The geographic spread is heavily Western, North America, Western Europe, Australia, with relatively little activity in regions where Russian-speaking operators traditionally avoid (former Soviet states).
Negotiation behaviour
Akira’s negotiation desk is professional. They respond promptly, hold to their stated demands within reason, provide proof-of-life on request, and have a reasonable deletion-attestation track record after payment. By criminal standards they’re a competent counterparty.
Demands sit in the seven-figure range for typical mid-market victims, with some flexibility. They take Bitcoin and (for negotiated cases) USDT. They have not, to our knowledge, accepted Monero, they want the easier laundering pipeline and the off-ramp options that BTC still provides over privacy coins.
Outlook
Akira is stable and likely to remain prominent through 2026. The pivot toward extortion-only is part of a broader industry trend that we expect to continue. Defenders should treat Akira as a sophisticated, methodical adversary that gets in through standard initial-access vectors and extracts data quietly when possible. The defensive priorities are therefore the same as for the rest of the ecosystem: edge-appliance patching, identity hygiene, egress monitoring, segmentation that’s actually enforced.