Executive Summary
- The FBI has officially ranked the Akira ransomware variant as one of the ‘top five’ most consequential cyber threats it is currently investigating.
- Since emerging in March 2023, the Akira group has been linked to over $244 million in ransomware proceeds, primarily targeting small and medium-sized businesses.
- A new joint cybersecurity advisory from the U.S., Europol, and other nations details Akira’s tactics and lists newly identified vulnerabilities it exploits in major software and hardware.
- The group uses a double-extortion model and is noted for its speed, in some cases exfiltrating victim data within two hours of initial network access.
Federal authorities have identified the Akira ransomware group as one of the top five most consequential cyber threats currently under investigation by the FBI. In a joint advisory with international partners, U.S. cyber officials released new details on the group’s tactics, which have been used to generate more than $244 million in illicit proceeds by targeting businesses across multiple sectors.
The advisory, a collaboration between the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), Europol, and authorities in France, Germany, and the Netherlands, warns that the group primarily targets small and medium-sized businesses. Since first appearing in March 2023, Akira has impacted organizations in manufacturing, education, healthcare, and finance, among other industries.
“For the FBI, it is within the top five variants that we investigate,” stated Brett Leatherman, assistant director at the FBI Cyber Division. “This group is very consequential.” He noted that the FBI is currently investigating over 130 different ransomware variants targeting U.S. businesses.
The financially motivated group employs a double-extortion model, first stealing sensitive data and then encrypting the victim’s systems to increase pressure for payment. The advisory highlights six newly identified vulnerabilities that Akira actively exploits, affecting products from Cisco, Windows, VMware, Veeam, and SonicWall. Officials have observed the group gaining initial access through stolen credentials, brute-force attacks, and software vulnerabilities.
Once inside a network, Akira actors have been known to use remote access tools like AnyDesk and LogMeIn to maintain their presence. According to the advisory, the group operates with remarkable speed, with some incidents showing data exfiltration completed in just over two hours from the initial breach.
The updated guidance is not in response to a single incident but reflects the continuous evolution of ransomware threats. “Actors are incredibly adaptable and are emphasizing operational security in their actions,” Leatherman added. “Their attacks are increasingly becoming more sophisticated, complex and layered.”