Akira is a sophisticated, human-operated Ransomware-as-a-Service (RaaS) operation that targets both Windows and Linux systems. It frequently exploits vulnerabilities in Virtual Private Networks (VPNs) to encrypt critical data and exfiltrate sensitive files for double extortion.
If you have discovered files with the .akira extension or are locked out of your VMware ESXi virtual machines, your organization is the victim of a targeted attack. Disconnect the affected systems as soon as possible.
Below, we’ll explain how this specific ransomware variant operates, the technical vulnerabilities it exploits, and steps to maximize your chances of recovery. To discuss options with an expert, call 1-800-237-4200 or submit a case online.
Akira Ransomware: An Overview
First detected in March 2023, Akira has rapidly become one of the most active ransomware groups globally. Unlike automated spray-and-pray malware (where the objective is to infect as many potential victims as possible), Akira attacks are hands-on. The attackers may gain access to a network days or weeks before deploying the encryption payload, using that time to steal data and disable backups.
In cases we’ve handled, we’ve noted that Akira’s payment portals and ransom notes often feature a distinct green-text-on-black-background aesthetic.
Technical Features of Akira Ransomware
To defend against or recover from Akira, it is helpful to understand exactly how it functions. Security researchers, including the FBI and CISA, have analyzed the malware’s code and identified several key characteristics.
Akira Encryption and Code Origins
Akira uses a hybrid encryption approach, which allows for faster encryption. It typically employs ChaCha20 (a high-speed stream cipher) to encrypt files and RSA to encrypt the key.
To further speed up the process, Akira often uses a “spotting” technique, encrypting only a percentage of each file. This renders the file unusable while allowing the ransomware to cripple a massive file server in minutes rather than hours.
Code analysis suggests that Akira may be built upon the leaked source code of the now-defunct Conti ransomware. If you have dealt with Conti in the past, the remediation steps are similar (we’ll get to those in a moment).
Intermittent encryption can make data recovery more complex, as files are not damaged in the same way. However, it may also open up opportunities for the recovery of specific files.
Primary Akira Attack Vectors
Akira is notorious for exploiting network infrastructure.The group aggressively targets Cisco AnyConnect SSL VPNs and SonicWall gateways. They frequently exploit specific vulnerabilities, such as CVE-2023-20269, which allows attackers to brute-force credentials on systems that do not have Multi-Factor Authentication (MFA) enabled.
Like many other groups, they scan for open RDP ports and use compromised credentials to gain entry. Penetration testing (PEN testing) can help to close potential vulnerabilities.
The Linux / ESXi Variant
A major differentiator for Akira is its capability to target Linux environments, specifically VMware ESXi servers. By targeting the hypervisor (the layer that manages virtual machines), they can encrypt all the virtual servers running on a host simultaneously.
Note: The Linux variant of Akira functions differently than the Windows version and requires different recovery strategies.
Double Extortion
Akira operates a “leak site” on the dark web. Before encrypting your data, they exfiltrate sensitive documents. If you refuse to pay the ransom for the decryption key, they threaten to publish this stolen data publicly.
Steps to Take After an Akira Ransomware Infection
If you identify the .akira extension or receive a ransom note, your immediate actions matter. We recommend taking the following steps:
Step 1: Disconnect But Do Not Power Down
Immediately disconnect infected machines from the network to prevent the ransomware from spreading to other subnets or backup servers.
Warning: Do not reboot or power down the infected machines. In some rare ransomware scenarios, encryption keys are stored in volatile memory (RAM); shutting down the computer can wipe this key, making recovery impossible even if a decryptor is found/developed.
Step 2: Secure Your Backups
Verify the status of your backups immediately. If your backups are connected to the network (e.g., a NAS drive or a mapped cloud drive), the ransomware may have encrypted them as well. Isolate your backup media immediately.
Step 3: Check for Public Decryptors
In June 2023, security researchers at Avast released a decryption tool for then-current versions of Akira ransomware. The tool can be found at the No More Ransom project.
The Akira gang acknowledged this flaw and patched their code shortly after. If you were infected by a newer version of Akira (post-August 2023) or the Linux variant, the tool may not work. Datarecovery.com can help you analyze your infection and determine whether free decryptors are an option; we can also help you identify vulnerabilities that led to the attack.
Step 4: Preserve the Logs
Do not wipe the machines to reinstall Windows immediately. Forensic logs (firewall logs, event viewer logs) can help to determine how the attackers got in. If you wipe the evidence, you cannot patch the hole — and you might face another attack.
Professional Resources for Ransomware Recovery
At Datarecovery.com, we are researchers, not just recovery engineers. Our laboratories feature proprietary hardware and software designed to extract data from corrupt storage media and analyze malware encryption structures.
We’ve helped thousands of ransomware victims restore their data, patch vulnerabilities, and fight back against bad actors. If you have lost data to Akira ransomware, we’re here to help.
Click here to submit a case online or call us at 1-800-237-4200 to speak with an expert.
