Sign In
Defeating Akira Ransomware: Full CISA Advisory Breakdown with ExtraHop NDR and MITRE ATT&CK
Back to top
December 8, 2025
Defeating Akira Ransomware: Full CISA Advisory Breakdown with ExtraHop NDR and MITRE ATT&CK
The threat brought by the Akira ransomware group first emerged in early 2023. The threat actors became the subject of a critical joint Cybersecurity Advisory AA24-109A in April 2024, which warned about the group's signature double-extortion strategy and its destructive Linux variant. This Linux variant of Akira ransomware was a decisive moment because it expanded the group’s destructive capabilities and shifted its target focus from traditional Windows endpoints to high-value infrastructure. Specifically it allowed the group to target VMware ESXi virtual machines.
Akira later expanded this capability to Hyper-V and Nutanix AHV VM disk files for the first time. By attacking hypervisors and virtual machines, Akira gained the ability to encrypt the operational core of enterprises and critical infrastructure. This ability to encrypt multiple servers and large volumes of data simultaneously made the attack highly destructive.
Network defenders worldwide are confronting the challenging reality that the Akira ransomware group is far from a simple cyber gang. It is a rapidly evolving, highly destructive enterprise. They continuously update and maximize the speed and impact of their attacks, pushing their operational capabilities beyond the reach of outdated security defenses and amplifying the danger they pose.
CISA and the FBI along with international partners including Europol, and agencies from France, Germany, and the Netherlands released an urgent update in November 2025. This update confirms that Akira presents an imminent threat to critical infrastructure, targeting sectors including manufacturing, financial services, healthcare, and education across North America, Europe, and Australia. The sheer financial motivation is clear: the group claimed approximately $244.17 million USD in ransomware proceeds as of late September 2025.
Critically, the group expanded its destructive capabilities beyond VMware and Hyper-V to encrypt Nutanix AHV VM disk files for the first time by abusing vulnerabilities like CVE-2024-40766. Furthermore, research strongly suggests Akira shares organizational or code lineage with the defunct Conti ransomware group, indicating a high degree of skill and operational sophistication. This advisory provides additional intelligence the core network defenders need to face this highly capable and rapidly evolving threat.
How ExtraHop Detects the Akira Ransomware Threat
Comprehensive Network Visibility: Exposing Evasive TTPs
Akira ransomware campaigns are not single events; they are multi-stage operations. ExtraHop NDR delivers holistic visibility as the essential countermeasure to Akira's tactics. ExtraHop eliminates blind spots by performing line-rate decryption and deep protocol decoding, exposing the protocols and data streams Akira abuses for discovery and data theft.
- Decryption: The platform gains insight into encrypted traffic, eliminating blind spots that hide credential misuse, high-volume reconnaissance, and the initial exploit payloads.
- Targeting Infrastructure: ExtraHop detects the exploitation attempts against sensitive infrastructure like unpatched VMware ESXi (T1190) for initial access and detects network traffic patterns associated with exploit attempts against vulnerable services for privilege escalation (T1068).
Behavioral Anomaly Detection
Advanced machine learning detects anomalous network activity, better enabling security teams to disrupt the attack before Akira completes its objective.
- Catching Brute Force: The platform identifies early-stage, high-volume authentication errors indicative of password spraying (T1110.003) and brute force (T1110) against critical assets like VPNs and RDP endpoints.
- Flagging Data Theft: ExtraHop surfaces mid-game tactics such as automated lateral movement (TA0008) and the unauthorized transfer of sensitive administrative files like the NTDS.dit (T1003.003) and SAM (T1003.002) database files across the network.
- C2 Tunneling: The platform detects the specific long-lived, low-volume connections indicative of covert C2 tunneling utilities like Ngrok (via T1572 and T1090).
Forensic Analysis and Accelerated Response
High-fidelity forensics track the movement of the Akira threat actors after an incident. Teams use network data to trace exactly which internal services the ransomware enumerated and what proprietary data it accessed.
- Immutable Records: Immutable packet records enable investigators to reconstruct the complex attack chains and confirm specific actions, such as VSS copy deletion (T1490). It also confirms the use of tools for compression (T1027.015) using 7-zip or the archiving of data using WinRAR (T1560.001).
- Threat Intelligence Integration: Correlated network activity provides immediate context regarding external command structures. ExtraHop's integration with threat intelligence enriches detections with IOCs, automatically flagging connections to known malicious IPs or suspicious cloud exfiltration services (T1537).
Precise Action
High-confidence alerts allow teams to respond faster to potential threats. ExtraHop maps the attack path and identifies compromised assets enabling precise actions to isolate hosts.
The Attack Lifecycle, Detection, and Response
The latest joint intelligence advisory confirms that Akira shifted its focus to fast, persistent intrusion, executing a complete attack lifecycle in reduced timeframes. ExtraHop Network Detection and Response NDR can help mitigate Akira because it relies not on EDR agents or firewall logs, but on detecting the subtle behavioral signals Akira leaves on the network, even within encrypted traffic.
The following MITRE ATT&CK TTP tables (10 - 17, 19 - 21) from the CISA Advisory AA24-109A) have been edited to show the AKIRA TTPs which NDR addresses:
TABLE 10 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Valid Accounts | T1078 | Akira threat actors obtain and abuse credentials of existing accounts to gain initial access. | NDR profiles user behavior and flags anomalous login activity (e.g., RDP login from an unusual IP) associated with a compromised, but valid account. |
| External Remote Services | T1133 | Akira threat actors use remote access services, such as RDP or VPN connections, to gain initial access. | NDR monitors VPN and authentication protocols for brute-force spikes and single-factor access from unexpected locations. |
| Exploit Public Facing Application | T1190 | Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems. | NDR analyzes transaction logs and packet payloads for patterns that match known CVE signatures and attack sequences. |
| Phishing: Spearphishing Attachment | T1566.001 | Akira threat actors use phishing emails with malicious attachments to gain access to networks. | NDR is not an email security platform. It cannot detect a malicious attachment upon delivery. Detection relies on monitoring subsequent network activity initiated by the victim (e.g., C2 or download). |
| Phishing: Spearphishing Link | T1566.002 | Akira threat actors use phishing emails with malicious links to gain access to networks. | NDR is not an email security platform. It cannot detect a malicious link upon delivery. Detection relies on monitoring subsequent network activity initiated by the victim (e.g., C2 or download). |
TABLE 11 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Command and Scripting Interpreter: PowerShell | T1059.001 | Akira threat actors use PowerShell to execute malicious scripts and Living Off the Land Binary (LOLBin) commands for execution, persistence, credential harvesting, lateral movement, and disabling security controls to evade detection. After using Ngrok to establish encrypted sessions, Akira threat actors use PowerShell and WMIC to disable services and execute malicious scripts. Akira threat actors use commercial penetration testing tools, namely Cobalt Strike, during their operations to achieve lateral movement, perform C2 procedures, and gain elevated privileges. | NDR monitors execution protocols (SMB, WinRM) for PowerShell traffic with suspicious arguments (e.g., encoded base64 commands). |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Akira threat actors use the Windows command shell (cmd.exe) to run batch scripts and native commands for execution, persistence, lateral movement, and to disable or manipulate security controls for evasion. | NDR identifies command-line execution over network protocols (like SMB or WinRM) that signals malicious activity or lateral movement. |
| Command and Scripting Interpreter: Visual Basic | T1059.005 | Akira threat actors use VB scripts to execute malicious code, deploy ransomware payloads, or establish persistence through legitimate Windows scripting capabilities. | NDR monitors network protocols (like SMB or RDP) for the remote commands used to launch or deliver the script payload. |
| System Services: Service Execution | T1569.002 | Akira threat actors use PSEXESVC.exe to enable remote code execution and deploy payloads. | NDR detects the network traffic patterns associated with remote execution and the subsequent transfer of malicious payloads (T1105). |
TABLE 12 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Account Manipulation | T1098 | Akira threat actors modify account passwords. | NDR monitors account permissions and detects when an account is added to domain groups, such as domain admins. |
| Create Account: Local Account | T1136.001 | Akira threat actors can create local user accounts by adding them to local admin groups to establish persistent backdoors. | NDR observes the network-based creation of local administrator accounts or their sudden use from an unexpected source IP. |
| Create Account: Domain Account | T1136.002 | Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. | NDR monitors domain controller activity (LDAP/Kerberos) for the creation and subsequent anomalous use of new, unrecognized domain accounts. |
TABLE 13 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Exploitation for Privilege Escalation | T1068 | Akira threat actors exploit unpatched software vulnerabilities (e.g., Veeam, POORTRY BYOVD) to gain elevated privileges. | NDR detects network traffic patterns associated with exploit attempts against vulnerable services and post-exploitation callback activity. |
TABLE 14 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Impair Defenses: Disable or Modify Tools | T1562.001 | Akira threat actors use a BYOVD technique to disable antivirus software. Akira threat actors use PowerTool to exploit Zemana AntiMalware drivers and terminate antivirus defensive processes. Akira threat actors uninstall EDR systems to evade endpoint detection. | NDR detects the remote commands (PowerShell/WMIC) sent over the network that attempt to disable the EDR agent. |
| Impair Defenses: Disable or Modify System Firewall | T1562.004 | Akira threat actors use the allssh modify_firewall command to open specific ports on the eth0 interface. | NDR detects the remote commands (PowerShell/WMIC) sent over the network that attempt to disable or modify the Firewall configurations. |
| Proxy Through Victim | T1604 | Akira threat actors use a compromised device as a proxy server to conceal their malicious C2 infrastructure and associated IP address from network defenders. | NDR flags network traffic that indicates a compromised host acting as a proxy. |
TABLE 15 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| OS Credential Dumping | T1003 | Akira threat actors use tools like Mimikatz and LaZagne to dump credentials. | NDR monitors SMB traffic for the transfer of the highly sensitive NTDS.dit file over the network, a clear sign of full domain compromise. |
| OS Credential Dumping: Security Account Manager | T1003.002 | Akira threat actors dump the Windows security account manager (SAM) database to extract local account password hashes for offline cracking or pass-the-hash techniques, enabling lateral movement and privilege escalation on compromised hosts. | NDR monitors SMB traffic for the transfer of the highly sensitive NTDS.dit file over the network, a clear sign of full domain compromise. |
| OS Credential Dumping: NTDS | T1003.003 | Akira threat actors dump the Active Directory database (NTDS.dit) from compromised domain controllers to harvest domain credentials, enabling privilege escalation, lateral movement, and full domain takeover. | NDR monitors SMB traffic for the transfer of the highly sensitive NTDS.dit file over the network, a clear sign of full domain compromise. |
| Brute Force | T1110 | Akira threat actors gain access by brute-forcing VPN logins and SSH endpoints. | NDR monitors VPN and authentication protocols for brute-force spikes and single-factor access from unexpected locations. |
| Brute Force: Password Spraying | T1110.003 | Akira threat actors use tools like SharpDomainSpray for password spraying. | NDR monitors VPN and authentication protocols for brute-force spikes and single-factor access from unexpected locations. |
| Credentials from Password Stores | T1555 | Akira threat actors dump credentials from repositories like the Variable Bit Rate (VBR)-configuration database. Akira threat actors use LaZagne to recover stored passwords on Windows, Linux, and macOS systems. | NDR Monitors remote access protocols for attempts at accessing system specific password stores. |
| Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | Akira threat actors use NetExec with the --dpapi option to dump credentials from the Windows Credential Manager and web browsers. | NDR Monitors remote access protocols for attempts at accessing system specific password stores. |
| Credentials from Password Stores: Windows Credential Manager | T1555.004 | Akira threat actors leverage tools such as NetExec or Mimikatz with the –dpapi option to dump credentials stored in the Windows Credential Manager, allowing them to gain unauthorized access to additional systems or accounts within the network. | NDR Monitors remote access protocols for attempts at accessing system specific password stores. |
TABLE 16 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| System Network Configuration Discovery | T1016 | Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure. | NDR flags command-line execution over network protocols (like SMB or WinRM) used to enumerate remote system network configurations. |
| Remote System Discovery | T1018 | Akira threat actors use nltest /dclist: to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network. | NDR flags command-line execution over network protocols (like SMB or WinRM) that signals malicious activity. |
| Network Service Discovery | T1046 | Akira threat actors use Advanced IP Scanner and NetScan to perform network reconnaissance by locating computers, scanning ports, identifying network devices, accessing shared folders, and enabling remote control via RDP and Radmin. Akira threat actors use SoftPerfect network scanners (netscan.exe) to perform discovery and retrieve network device information through WMI, SNMP, HTTP, SSH, and PowerShell. | Detection: NDR flags high-rate port and address sweeps (scanning) across internal network segments that deviate from established administrative baselines. |
| Process Discovery | T1057 | Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell. | NDR flags command-line execution over network protocols (like SMB or WinRM) used to enumerate remote system process lists and configurations. |
| Permission Groups Discovery: Local Groups | T1069.001 | Akira threat actors use the net localgroup /dom to find local groups and permission settings. | NDR flags command-line execution over network protocols (like SMB or WinRM) used to enumerate remote system local groups and accounts. |
| Permission Groups Discovery: Domain Groups | T1069.002 | Akira threat actors use the net group /domain command to find domain level groups and permission settings. | NDR flags command-line execution over network protocols (like SMB or WinRM) used to enumerate domain groups. |
| System Information Discovery | T1082 | Akira threat actors use tools like PCHunter64 to acquire detailed process and system information. Akira threat actors use DiskCheck software to query remote systems for information on disk drives and installed software. | NDR flags command-line execution over network protocols (like SMB or WinRM) used to enumerate remote system information, such as process lists, anti-virus configurations or other OS specific information. |
| Account Discovery: Domain Account | T1087.002 | Akira threat actors use Adfind.exe to query and retrieve information from Active Directory. | NDR network protocols (like LDAP) for domain account enumeration attempts. |
| Domain Trust Discovery | T1482 | Akira threat actors use the net Windows command to enumerate domain information. Akira threat actors use nltest /DOMAIN_TRUSTS commands to enumerate domain trusts. | NDR flags command-line execution over network protocols (like LDAP) used to enumerate domain trusts. |
TABLE 17 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Remote Services | T1021 | Akira threat actors can abuse remote services (such as SSH and Virtual Network Computing [VNC]), to remotely access compromised systems, move laterally, and maintain persistence across networked hosts. | Detection: NDR monitors RDP/SSH sessions for credential reuse, new connections from compromised hosts, or attempts to move highly privileged tickets. |
| Remote Service: RDP | T1021.001 | Akira threat actors leverage RDP connections as an initial access vector to victim systems. | Detection: NDR monitors RDP sessions for credential reuse, new connections from compromised hosts, or attempts to move highly privileged tickets. |
| Remote Service: SSH | T1021.004 | Akira threat actors use SSHs through router IP addresses for initial access. | Detection: NDR monitors SSH sessions for credential reuse, new connections from compromised hosts, or attempts to move highly privileged tickets. |
| Use Alternate Authentication Material: Pass the Hash | T1550.002 | Akira threat actors use Mimikatz to view and save authentication credentials, such as Kerberos tickets. | NDR monitors (Not Applicable to NDR) |
TABLE 19 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Proxy | T1090 | Akira threat actors use Ngrok to create a secure tunnel to servers the actors use to exfiltrate data. Akira threat actors use SystemBC malware as a proxy bot. | Detection: NDR detects long-lived, low-volume connections over protocols including HTTPS that match the unique behavioral pattern of proxy/tunneling C2 activity. |
| Ingress Tool Transfer | T1105 | Akira threat actors download tools, many of which are staged in the PerfLogs directory, and use the WebClient.DownloadString() method to download Cobalt Strike beacons. Akira threat actors use STONESTOP malware to load additional payloads. | NDR detects the network traffic patterns associated with downloading payloads (HTTP GET/POST or SMB transfer of the file). |
| Remote Access Software | T1219 | Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems. Akira threat actors use SystemBC malware as a RAT. | NDR flags anomalous utilization of remote access software (like AnyDesk). |
| Protocol Tunneling | T1572 | Akira threat actors use Ngrok to hide C2 and remote access/exfiltrate traffic inside legitimate HTTPS connections, bypass perimeter defenses, and maintain covert persistent access. | NDR flags anomalous utilization of tunneling software (like Ngrok). |
TABLE 20 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Exfiltration Over Alternative Protocol | T1048 | Akira threat actors use file transfer tools like WinSCP to transfer data. | NDR flags massive outbound transfers of data to external destinations, regardless of the protocol or port used. |
| Transfer Data to Cloud Account | T1537 | Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfiltration servers they control. | NDR flags massive outbound transfers of data to common Cloud services. |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Akira threat actors leverage RClone to sync files with cloud storage services to exfiltrate data. | NDR flags massive outbound transfers of data to external destinations. |
TABLE 21 in CISA Alert:
| Technique Title | ID | Akira TTP in Action | ExtraHop NDR |
|---|---|---|---|
| Data Encrypted for Impact | T1486 | Akira threat actors encrypt data on target systems to interrupt availability to system and network resources. | Encryption is a local disk operation. ExtraHop's AI-driven behavioral detection identifies the specific, anomalous file access patterns of ransomware (e.g., rapid file read/write/rename over SMB) in real-time, allowing detection of the encryption in progress. Mitigation also focuses on detecting precursor commands (T1490) or subsequent Exfiltration (T1048/T1567). |
Akira Exploits and Vulnerabilities
The advisory highlights several specific CVEs Akira threat actors actively exploit to gain initial access and elevate privileges.
Table: Common Vulnerabilities and Exposures & Common Weakness Enumeration
| CVE ID | Description | CWE | Initial Access / Privilege Escalation |
|---|---|---|---|
| CVE-2024-40766 | SonicWall vulnerability: Improper Access Control | CWE-284 | Akira exploits this to gain access to VPN products and encrypt Nutanix AHV VMs. |
| CVE-2024-40711 | Veeam Backup and Replication: Deserialization of Untrusted Data | CWE-502 | Akira exploits this in unpatched Veeam backup servers for initial access and privilege escalation. |
| CVE-2023-27532 | Veeam Backup: Missing Authentication for Critical Function | CWE-306 | Akira uses this to gain initial access via the Veeam Backup and Replication component. |
| CVE-2023-20269 | Cisco: Authentication Bypass Using an Alternate Path or Channel | CWE-288 | Akira exploits this for initial access via VPN services. |
| CVE-2020-3259 | Cisco: Exposure of Sensitive Information to an Unauthorized Actor | CWE-200 | Akira uses this Cisco flaw to obtain initial access via vulnerable VPN services. |
The Adversary's Arsenal: Updated Tools & IOCs
Akira relies on a combination of custom malware and legitimate tools to achieve its objectives, leveraging readily available software for infiltration, C2, and exfiltration. Links to information on ExtraHop detections are shown in the hyperlinks within the table below:
Table: Akira IOCs and Updated Tools
| Tool Name | Purpose/Use by Akira |
|---|---|
| Ngrok / Cloudflare Tunnel | Akira uses these for Protocol Tunneling (T1572) to create encrypted C2 sessions that bypass perimeter monitoring. |
| SharpDomainSpray | Akira uses this for Password Spraying (T1110.003) to gain access to account credentials. |
| Mimikatz / LaZagne | Akira uses these for OS Credential Dumping (T1003) to extract credentials from LSASS memory and stored password repositories. |
| 7-zip / WinRAR | Akira uses these for Archiving/Compression (T1560.001) of data prior to high-speed exfiltration. |
| WinSCP / RClone | Akira uses these for Exfiltration (T1048/T1567.002) of compressed data over SFTP and to cloud storage services like Mega. |
| Impacket | Akira leverages this Python library to execute the remote command wmiexec.py for defense evasion. |
Immediate Action: Critical Mitigations Per CISA
To effectively defend against the high-speed and adaptive Akira ransomware threat, organizations must immediately implement foundational security controls. The CISA alert stresses the urgency of these actions, which align directly with the CISA/NIST Cross-Sector Cybersecurity Performance Goals (CPGs):
- Implement Phishing-Resistant MFA CPG 2.H: Require MFA for all VPNs, webmail, and accounts accessing critical systems, as Akira relies heavily on compromising non-MFA enabled accounts
- Prioritize Remediation CPG 1.E: Immediately patch all publicly known exploited vulnerabilities, especially those related to VPNs and backup systems, prioritizing known exploited vulnerabilities in internet-facing systems
- Maintain Immutable Backups CPG 2.R, 2.K: Ensure all backup data is encrypted, immutable (cannot be altered or deleted), and stored offline to defeat VSS deletion and encryption tactics
- Restrict Execution CPG 2.E, 2.N: Disable command-line and scripting activities and permissions (like PowerShell and VB scripts), as privilege escalation depends on these utilities
- Segment Networks & Limit Access CPG 2.F, 2.E: Segment networks to prevent the spread of ransomware and implement Just-in-Time (JIT) access for privileged accounts to restrict lateral movement
See ExtraHop in Action
The network is the definitive battleground against modern ransomware, serving as the crucial zone of activity. ExtraHop NDR provides the comprehensive security intelligence that legacy tools miss.
Ready to see how ExtraHop NDR gives your security team the critical advantage against threats like Akira?
- Request a Personalized Demo: See how ExtraHop detects hundreds of TTPs used by threat actors like Akira.
- Run a Security Assessment: Challenge the visibility of your current security stack with a complimentary NDR assessment.
Click HERE to schedule your demo and secure your environment against ransomware.
Discover more
Product Marketing Team
Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant. Zuckerman’s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, sandbox, deception technology, cloud access security brokers (CASB), SASE, data loss prevention (DLP), user and entity behavior analytics (UEBA), Network detection and response (NDR), and encryption.
Share
