Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G1024

Akira Ransomware Group

Aliases

Gold Sahara, Punk Spider, Howling Scorpius

Type

Cybercrime group

Target

Education, Financial Sectors, Manufacturing, Small to medium-sized businesses worldwide

Malware

Akira ransomware, Megazord, legitimate tools (abused)

Country

Russia Russia

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Akira Ransomware Group

Background and Attribution

Akira is a Ransomware-as-a-Service (RaaS) group that emerged in March 2023, named after the 1980s Manga movie.

The group is known for its double-extortion model. First, Akira exfiltrates large volumes of sensitive data, then encrypts the victim’s files. They demand a ransom for the organization to regain access to their files. They also threaten to publish the stolen data on a Tor leak site (with a unique, retro ’80s look) if the ransom is not paid.

Definitive attribution is difficult. However, there are overlaps in tactics with the defunct Russian-speaking Conti ransomware syndicate. This suggests some of its former members may now be involved with Akira.

Common Tactics and Tools

Akira’s primary method for initial network access is exploiting poorly secured Virtual Private Networks (VPNs). They target VPN accounts that are not protected by Multi-Factor Authentication (MFA).

Once inside, they escalate privileges and move laterally. They use a variety of legitimate and malicious tools to disable security software before deploying the final ransomware payload.

  • Akira Ransomware: The group’s main payload is a C++ ransomware with both Windows and Linux versions. It encrypts a wide range of files and adds an extension like .akira. It avoids critical system files, leaving the computer usable enough to display the ransom note.
  • Megazord: A notable variant of the Akira ransomware, which sometimes uses the file extension .powerranges (in reference to the Power Rangers television series).
  • Legitimate tools (abused): Akira uses common IT administration and security tools to carry out its attacks. These include AnyDesk for remote access, WinRAR to compress stolen data for exfiltration, and Mimikatz to harvest credentials from memory.

How to Defend Against Akira Ransomware

Defending against Akira requires strong perimeter security as well as controls to stop their actions after they gain entry.

  • Enforce MFA on all remote access: Prioritize the implementation of mandatory MFA on all VPNs and other remote access solutions.
  • Maintain offline, tested backups: A strong backup strategy is important. Note that, because of the double extortion technique, this does not defend you from the threat of your data being published.
  • Harden network security: Use a Network Detection and Response (NDR) solution, like Lumu Defender. NDRs detect and stop unusual activity, such as command and control attempts and data exfiltration.
  • Implement network segmentation: Segment your network to limit an attacker’s movement. This can stop a small breach from affecting the entire organization.
  • Leverage intel: Integrate a real-time threat intelligence platform, like Lumu Maltiverse. This helps security teams find and stop attacks more quickly.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.