Akira surfaced in March 2023 with a striking visual identity, a leak site presented as a green-on-black 1980s computer terminal, and an immediately competent malware. Within a year it was one of the top five most active ransomware operations globally. Within two it had absorbed a meaningful share of LockBit and BlackCat affiliates after both brands collapsed. Akira is the operation that best illustrates how quickly a new RaaS can fill a vacuum at the top of the leaderboard.
Origins
Researchers initially noted strong similarities between Akira and Conti, including code overlaps in early Akira variants and similar negotiation styles. Some chain-analysis work also tied Akira’s payment infrastructure to wallets historically associated with Conti operators. The dominant assessment is that Akira draws on Conti lineage without being a direct rebrand, most likely a smaller crew of Conti veterans starting fresh under a new brand, plus new personnel.
A second Akira variant, "Megazord," appeared in late 2023 written in Rust, suggesting a development trajectory similar to BlackCat’s earlier Rust adoption. Akira has since maintained both C++ and Rust toolchains in active use.
The malware
The Akira locker is technically conventional but well executed:
- Hybrid encryption using ChaCha20 for file content and an asymmetric wrapper key.
- Per-build configurability, with options for full encryption, header-only, or interleaved chunks for speed.
- A Linux/ESXi variant alongside Windows.
- Capabilities to delete shadow copies, terminate backup and database services, and propagate via SMB.
- A well-structured negotiation portal with chat, sample decryptions, and discount mechanics.
Initial access
Akira built much of its early success on aggressive exploitation of Cisco ASA and FTD VPN vulnerabilities. CVE-2023-20269 (a flaw in the SSL VPN feature of Cisco ASA software) allowed brute-forcing of credentials against accounts without MFA, and Akira affiliates ran systematic campaigns against organisations with weak VPN configurations. Even after Cisco patches and advisories were issued, the operation continued to harvest victims through unpatched or misconfigured deployments well into 2024.
Other initial-access vectors observed across Akira intrusions:
- Compromised RDP credentials sourced from initial-access brokers.
- SonicWall SSL VPN exploitation in 2024–2025.
- Phishing with HTML smuggling and PDF lures in lower-volume campaigns.
- Exploitation of patched-but-not-yet-applied vulnerabilities in Veeam backup servers.
Notable victims
Akira’s victim profile is heavily mid-market: manufacturers, professional services firms, regional healthcare networks, education providers, and municipalities. Notable named victims have included Stanford University (in a related incident), Nissan Australia, Yamaha Motor Philippines, Tietoevry (a Nordic IT services firm whose attack disrupted multiple Swedish public-sector customers), and a long list of regional US hospitals and school districts.
Industry tracking through 2024 placed Akira among the most active operations by quarterly victim count, often appearing in the top three on monthly leak-site listings.
TTPs
Akira’s hands-on-keyboard tradecraft is competent, conventional, and deliberate:
- Cobalt Strike and AnyDesk for command-and-control and remote management.
- Ngrok and Rclone for exfiltration to Mega.nz and other cloud storage.
- Mimikatz, LaZagne, and SharpHound for credential harvesting and Active Directory mapping.
- Veeam credential extraction, when available, to enable backup destruction.
- Heavy use of intermittent encryption and ESXi targeting against virtualised environments.
The CISA, FBI, EC3, and NCSC-NL joint advisory of April 2024 documented Akira’s TTPs in detail and urged organisations to harden VPN deployments, enforce MFA, and patch the relevant Cisco vulnerabilities.
The aesthetic
It is unusual to mention branding in a threat profile, but Akira’s identity matters. The green-screen leak site, the deliberately retro typography, and the operation’s chosen name all suggest a deliberately curated public image. Some researchers have read it as cosplay; others as a marketing channel for affiliate recruitment, signalling a brand that takes itself seriously enough to invest in presentation. Either way, the brand stands out in a market of largely interchangeable leak sites.
Legacy and outlook
Akira’s significance is two-fold. First, it is one of the operations that absorbed displaced affiliates from LockBit and BlackCat and has therefore inherited a meaningful share of top-tier intrusion capability. Second, its sustained focus on edge-VPN exploitation has been consistent enough that it has driven real changes in how vendors and customers handle VPN security, patch cadence, MFA enforcement, and the deprecation of password-based authentication on perimeter devices.
There has been no public disruption of Akira at the time of writing. Its operators continue to ship updates, recruit affiliates, and post new victims weekly. Akira is, in the truest sense, a current and ongoing threat, and given the trajectory of LockBit, BlackCat, and Conti before it, the most interesting question is which name its operators will be running under three years from now.