Akira ransomware has cemented its reputation as one of the most relentless and disruptive cyber threats affecting organizations today. Akira has held the number one spot for six straight quarters in Coveware by Veeam’s case data, and in 2024, it was responsible for 14% of all ransomware incidents.
While many ransomware groups tend to chase after big-ticket targets, Akira takes a different approach. It casts a wider net, focusing on sheer volume rather than just high-profile victims, allowing it to affect organizations indiscriminately and across a broad range of industries.
What sets Akira apart, however, is its aggressive focus on VMware ESXi environments. In nearly half of the ransomware incidents observed in 2024, ESXi was a primary target — and Akira was no exception. Rather than focusing solely on endpoints, Akira goes after the hypervisor itself, enabling the encryption of entire virtualized infrastructures in on strike. The result: maximum operational disruption and increased leverage for ransom demands.
Akira’s attack lifecycle follows a clear and dangerous pattern:
- Gain entry with stolen credentials through exposed remote access services like VPNs and RDP
- Harvest more credentials and escalate privileges to entrench deeply within the business
- Abuse legitimate admin tools for quiet, lateral movement across networks
- Exfiltrate sensitive data to use as leverage, prior to encryption
- Launch highly disruptive ESXi-level encryption to bring business operations to a halt and maximize ransom pressure on the organization
This report will look at Akira’s methods in detail. Below, we dissect real-world insights from Coveware and Veeam case data as combined with MITRE ATT&CK mappings. We pinpoint critical detection opportunities, outline defensive actions, and offer ESXi-specific strategies to help security teams stay ahead of the threat — before Akira has the chance to trigger a full-blown ransomware event.
Akira’s Attack Path: A Breakdown of Key Techniques
Step 1: Exploiting Remote Entry Points
Akira’s attackers typically begin by targeting remote access weaknesses, relying on a combination of stolen credentials, brute-force tactics, and poorly secured remote services to break in.
How They Do It
Stolen Credentials
Attackers often use credentials harvested from phishing campaigns or previous data breaches to gain legitimate access. With valid usernames and passwords in hand, attackers can bypass many security measures and blend in as legitimate users, making early detection much more difficult.
Compromising VPN & RDP Services (T1133)
Unpatched VPN gateways and exposed RDP endpoints are prime targets for Akira, offering direct routes into the network. These services, when exposed to the internet without proper hardening, provide attackers with a direct, high-value entry point into internal networks with minimal resistance. Single factor authentication serves as a common keystone in many Akira attacks.
Brute Force Attacks (T1110)
If stolen credentials aren’t available, Akira relentlessly attempts login combinations against RDP, SSH, and other exposed services. These attacks target accounts using weak, default, or reused passwords, and once successful, give the attackers a foothold to begin lateral movement.
How to Spot It Early
- Keep an eye out for unusual spikes in failed login attempts and authentication requests.
- Enforce Multi-Factor Authentication (MFA) across all remote access points.
- Use geofencing to block connections from regions or IPs that don’t align with normal business operations.
- Regularly update and patch software, especially for public-facing applications.
Step 2: Persistence & Privilege Escalation
After breaching the network, Akira moves quickly to solidify its foothold. The attackers work to establish persistence, escalate their privileges, and quietly sidestep detection, setting the stage for their next moves.
How They Stay and Take Control
Creating New Accounts (T1136)
Akira actors often create new user accounts, sometimes mimicking legitimate admin accounts by using similar naming conventions. These hidden accounts allow them to maintain access even if initial entry points are discovered and closed.
Remote Access Tools (T1219)
Attackers install remote access software like AnyDesk or RustDesk for persistence.
Process Injection (T1055)
By injecting malicious code into trusted system processes, attackers can execute commands and payloads under the radar, blending in with normal system activity and bypassing security controls.
Clearing Windows Event Logs (T1070.001)
To cover their tracks, Akira operators routinely clear key event logs, erasing records of their activities and making incident response more difficult and time-consuming.
How to Detect and Respond
- Watch for suspicious new account creations, particularly those with elevated (admin) privileges or unusual naming patterns and contain those accounts quickly.
- Limit installation and connectivity for remote access and monitoring tools.
- Deploy and fine-tune Endpoint Detection & Response (EDR) tools to flag anomalous process behavior, especially indicators of process injection.
- Set up alerts for log tampering, especially when Windows Security logs (Event ID 1102) are cleared — these are often early red flags of malicious intent.
Step 3: Lateral Movement & Reconnaissance
Once inside and firmly planted, Akira’s operators don’t just sit still. They begin moving laterally, hopping from system to system while carefully mapping out the network. Their goal: find valuable assets, avoid detection, and position themselves for maximum damage.
How They Move and Scout
Remote Services: RDP & SSH (T1021 + T1210)
Using the stolen credentials they’ve already gathered, attackers leverage common remote access tools like Remote Desktop Protocol (RDP) and Secure Shell (SSH) to navigate deeper into the environment, often mimicking legitimate admin behavior to stay under the radar. SSH is commonly used for connection to ESXi.
Network & Process Discovery (T1046, T1057)
Akira systematically scans the network, hunting for critical infrastructure like backup servers, domain controllers, and security defenses. The attackers also inventory running processes to identify tools that could expose their presence or obstruct their plans.
Lateral Tool Transfer (T1570)
Tools and payloads don’t stay on one machine. Akira moves its custom scripts, malware, and utilities between compromised hosts using mechanisms like PSExec, RDP file transfers, or common file shares to prepare for the next phase of the attack.
How to Spot Movement
- Flag unauthorized or unusual remote login attempts, especially after hours or from unexpected accounts, and closely monitor for out-of-pattern RDP and SSH sessions.
- Look out for reconnaissance activity, such as unauthorized system scans or the use of scanning tools like advanced_ip_scanner.exe or netscan.exe.
- Set alerts on suspicious file transfers — particularly executable files — moving laterally across hosts, as this often signals preparation for a wider compromise.
- Maintain a comprehensive software inventory to identify and manage unauthorized applications.
Step 4: Exfiltration
Before pulling the trigger on full-scale encryption, Akira plays a more subtle but equally damaging card: data theft. By exfiltrating sensitive information, they build an extra layer of leverage — threatening to leak or sell stolen data if victims refuse to pay.
How They Extract the Data
Archive Collected Data (T1560)
Once valuable data is identified, Akira operators compress it into archives using tools like 7-Zip, WinRAR, or tailored scripts. This step streamlines the exfiltration process and helps them move large data sets more efficiently.
Exfiltration Over Web Services (T1567)
The attackers often leverage public cloud platforms and file-sharing services such as MegaSync, RClone, WinSCP, or FileZilla to exfiltrate stolen data, blending in with normal internet traffic and reducing the risk of being blocked outright.
How to Detect the Theft
- Keep an eye out for unauthorized or unusual usage of compression tools, especially combined with mass file access events targeting sensitive directories.
- Deploy Data Loss Prevention (DLP) solutions to identify and block outbound transfers to unapproved or unfamiliar cloud storage services.
- Regularly review browser histories and inspect outbound network traffic for signs of interaction with known file-sharing platforms often abused in exfiltration operations.
- Review server outbound access over HTTPS/443. In the hands of a threat actor, that simple protocol can enable exfiltration, downloading of tools, command and control, and more.
Step 5: Encryption & Disruption
Once Akira has mapped the network, escalated privileges, and exfiltrated data, it initiates its most devastating move: locking down critical systems. This phase is designed to cause widespread disruption and bring operations to a grinding halt, pressuring victims into paying hefty ransoms.
While Akira continues to target both Windows and Linux environments, it’s the group’s aggressive focus on VMware ESXi hypervisors that has made it especially dangerous to organizations running virtualized infrastructure.
Why ESXi is Their Primary Target
Encrypting VMware ESXi Hypervisors (T1486)
By encrypting ESXi hosts, Akira can simultaneously take down dozens — or even hundreds — of virtual machines (VMs) in one strike, crippling entire data centers.
Credential Tampering & Host Reinstallation (T1098)
Attackers will often tamper with or reset ESXi administrative credentials, locking defenders out of their own hypervisors and further complicating forensics and recovery efforts.
Disabling Security Features (T1489)
Akira operators shut down running VMs and disable key ESXi security services, leaving infrastructure blind and defenseless during the encryption process.
Windows & Linux Encryption Still Part of the Attack
Data Encryption for Impact (T1486)
Outside of ESXi, Akira continues to encrypt Windows and Linux endpoints, leaving behind ransom notes and appending the distinct “.akira” extension to locked files.
Impairing Defenses (T1562)
Before encryption kicks in, attackers systematically disable endpoint security, backup solutions, and logging services, effectively sabotaging detection tools and thwarting any attempts at a swift rollback.
Watch Out Before It’s Too Late
- Watch for sudden or unexplained shutdowns of multiple VMs — often one of the earliest signs of ESXi-targeted encryption.
- Stay alert to unauthorized changes to ESXi administrative credentials or access control settings.
- Deploy honeypot VMs as bait; these can serve as early warning systems, flagging suspicious encryption activity before it spreads.
- Keep a close eye on backup repositories and system configurations to detect any unauthorized access or tampering attempts.
5 Defensive Measures to Stay Ahead of Akira
Akira’s playbook leans heavily on stealth, misuse of legitimate tools, and a devastating focus on ESXi environments. To stand a fighting chance, defenders must move beyond reactive measures and embrace a proactive security posture.
- Harden Remote Access Security. Be vigilant in enforcing Multi-Factor Authentication (MFA) across all remote entry points, including VPNs, RDP, and ESXi administrative accounts.
- Disrupt Lateral Movement. Closely monitor privileged account activity for unusual behavior and signs of credential theft, such as irregular usage patterns (T1003).
- Identify unauthorized installations of remote access tools like AnyDesk, RustDesk, and MobaXterm.
- Lock Down ESXi & Virtualized Infrastructure. Prioritize and enforce strict access controls on ESXi management interfaces, ensuring only trusted personnel have administrative privileges.
- Protect Data & Prevent Exfiltration. Deploy Data Loss Prevention (DLP) solutions to detect and block unauthorized data transfers before they exit the network.
- Strengthen Backup & Recovery Resilience. Maintain immutable, offline backups of ESXi hosts and critical VM snapshots, keeping them isolated from potential attackers.
The stakes are high. Without early detection and strong, proactive defenses, organizations risk facing crippling downtime and costly demands. However, companies that take decisive action — by hardening remote access, aggressively monitoring for credential misuse, and fortifying ESXi environments — can dramatically lower their risk profile.
A well-prepared organization not only limits the blast radius of a potential Akira attack but also positions itself for faster recovery should an intrusion occur. Read more.
The post Akira Attacks in a Nutshell: Understanding and Detecting the Threat appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/QAGJ4HY
Share this content: