The Akira ransomware group, emerging in March 2023, quickly established itself as a formidable cyber threat targeting sectors such as finance, real estate, manufacturing, and even unsuspecting entities like children’s daycare centers.

By April 2023, Akira expanded its malicious activities to include a Linux variant specifically designed to infiltrate VMware ESXi virtual machines, demonstrating the group’s capability to adapt and target critical IT infrastructure. This strategic move broadened their attack surface, significantly enhancing their operational impact.

As of January 1, 2024, the Akira group has successfully compromised over 250 organizations worldwide, amassing around $42 million in ransom payments. Operating under a typical ransomware model, Akira initially exfiltrates sensitive data from its targets’ networks.

After data theft, it deploys a destructive payload that encrypts files across various systems, appending the “.akira” extension to each affected file. In addition to encrypting data, Akira ensures data recovery is crippled by deleting Windows Shadow Volume Copies using a PowerShell command.