Surfacing in 2023, Akira has rapidly become one of the most aggressive and successful ransomware groups operating today. Within months of emerging into the cybercrime scene, Akira was already being linked to dozens of high-profile ransomware attacks and within just one year of operation, the group had extorted $42 million from numerous victims. By late 2024, it had escalated to one of the top threats in the global ransomware sphere due to its highly skilled technical sophistication, indiscriminate targeting, and use of the Ransomware-as-a-Service (RaaS) model, where affiliates are hired to deploy ransomware on victims.

Indiscriminate and global targeting

Unlike groups that focus on specific industries or certain countries, Akira appears to target indiscriminately. The group has been seen to target countries across the world including the United States, Canada, United Kingdom, Germany and Japan among others. The only pattern that they appear to follow, is that they do not attack countries using a Russian keyboard setting, alluding to the fact that they themselves are a Russian organisation. This is part of the unspoken rule in the ransomware sphere of “don’t bite the hand that feeds you” and reduces the chances of attracting law enforcement pressure from their home country.
In addition to indiscriminately targeting nations, Akira has also been seen to target a wide range of industries including healthcare, education, manufacturing, legal and professional services, and financial services. They appear to have no moral boundaries when it comes to who they target as long as they can find a way in, they will exploit whatever industry they can. This global cross-industry targeting makes Akira a threat to nearly any organisation with digital infrastructure and weak operational security.

Akira’s RaaS structure: a model to make millions

Central to Akira’s success is its use of the Ransomware-as-a-Service model. In this structure:

-  Akira’s core operators create and maintain the ransomware code and infrastructure,

-  then recruit affiliates who are usually from other ransomware groups or individuals who are well versed in cybersecurity.

It has been known from other groups such as LockBit, who also operate a RaaS model, that they require affiliates to prove themselves through technical tests or small-scale attacks before being accepted into the affiliate programme. Once approved, they will be given the malware to deploy in exchange for a share of the profits, often splitting the ransom payment where the operator typically receives 20-30% and the affiliate 70-80%.
The approach offers many advantages:

-  For the operators, it enables scale without having to be involved in every attack.

-  For affiliates, it provides access to the tools and support without requiring the technical expertise it would require creating and deploy a highly developed malware like Akira’s.

The result is a decentralised yet cohesive cybercriminal enterprise that can strike numerous targets at the same time.

How do Akira’s operations work?

Akira is widely believed to be closely affiliated to the now-defunct Conti ransomware gang, one of the most notorious ransomware families of recent history. Conti itself was a successor to the prolific Ryuk group, forming part of a lineage of highly effective cybercriminal enterprises. In the world of ransomware, it is well known that when a group ‘ceases operation’ that is, in fact, rarely the case. More often, they close that specific operation, refine their tactics and rebuild under a new name with new members. Akira is one of the clearest examples of this and given the success of its predecessors, it is not surprising that it rapidly became a serious threat.
In terms of technicality, Akira has an interesting and extensive history of altering the types of payloads they use in their operations allowing them to target various operating systems. At the beginning of their operations, they targeted Windows systems, deploying a C++ based encryptor that appended ‘.akira’ to affected files. These attacks were often carried out after gaining access via compromised VPN credentials found on the dark web or through unpatched vulnerabilities.
In their more recent era, they expanded to Linux-based systems running VMware ESXi – a virtualisation platform commonly used by enterprises. This change mirrored a trend among ransomware groups, as targeting virtual environments allows attackers to encrypt multiple systems hosted on a single server, greatly increasing the impact of each breach.
In addition to encryption, Akira employs the popular model amongst modern ransomware groups of double extortion, where data is extracted before encrypting an organisation’s system. Victims are then pressured to pay not just for decryption, but also to prevent public release of stolen data. The leaked files are showcased on Akira’s dark web leak site as proof, often accompanied by a countdown to disclosure.

Is Akira a threat to monitor?

Akira represents the modern evolution of ransomware – highly technical, globally active and structured like a business. By using the RaaS model, adopting advanced double extortion tactics, and using the skills from their predecessors, Conti and Ryuk, Akira has quickly made a name for itself as a ruthless and dangerous group in the ransomware sphere. Akira is a clear reminder that when one group disappears, another is always ready to take their place with even better efficiency, tactics, and aggression. Akira is still active and is currently second to another ransomware group for the number of victims in April 2025 and will undoubtedly only continue to wreak havoc on enterprises across the world.

Sources:

https://www.securityweek.com/akira-ransomware-drops-30-victims-on-leak-site-in-one-day/ 
https://www.bitdefender.com/en-gb/blog/businessinsights/akira-ransomware-a-shifting-force-in-the-raas-domain 
https://cybelangel.com/the-akira-ransomware-playbook-everything-you-need-to-know/ 
https://www.thaicert.or.th/en/2024/11/20/akira-ransomware-a-brutal-threat-sets-record-with-over-30-victims-in-a-single-day/ 
https://www.cloudrangecyber.com/news/ransomware-groups-in-2024 
https://thehackernews.com/2024/04/akira-ransomware-gang-extorts-42.html 
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira 
https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-akira 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.