Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Malware

S1129

Akira

Type

Ransomware

Associated threat actors

Akira group, Ransomware-as-a-Service affiliates

Key Capabilities

Encrypts files using ChaCha20 and RSA. Steals data for double extortion. Exploits VPN vulnerabilities. Deletes volume shadow copies.

OS Targeted

Windows, Linux, VMware ESXi

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Akira

What is Akira?

Akira (S1129) is a fast-growing ransomware strain that operates as a Ransomware-as-a-Service (RaaS). Security researchers observed its first attacks in early 2023, noting the malware is highly effective at targeting both Windows and Linux environments.

Affiliates frequently deploy the software after exploiting vulnerabilities in virtual private networks (VPNs). They specifically target unpatched enterprise network appliances and compromised accounts lacking multi-factor authentication. Once inside, attackers use legitimate administrative tools to map the network and steal sensitive corporate data.

Next, they execute the Akira payload to encrypt critical systems. To hinder recovery, the malware actively deletes local volume shadow copies. This destructive action prevents IT teams from easily restoring systems and forces executive leaders into difficult negotiations.

Attackers rely heavily on double extortion, demanding a ransom for decryption keys while threatening to publish the stolen data on their dark web leak site.

How to Defend Against Akira?

Defending against Akira requires strict vulnerability management, robust access controls, and continuous network monitoring.

  • Secure remote access: Attackers frequently exploit vulnerable VPNs and use stolen credentials. Use Lumu Discover to monitor for compromised accounts and map your attack surface.
  • Maintain offline backups: Akira actively destroys local backups and shadow copies. Store critical data offline to ensure quick recovery without paying a ransom.
  • Deploy endpoint detection: Monitor devices for suspicious administrative activity. Flag any process that attempts to run network scanning tools or delete shadow copies.
  • Use network detection (NDR): Use tools like Lumu Defender to identify unauthorized data exfiltration. Detect anomalous network traffic generated by compromised VPN accounts before encryption begins.
  • Integrate threat intelligence: Use platforms like Lumu Maltiverse to stay updated on the latest Akira indicators and block access to malicious domains.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.