Akira Ransomware: $42M in Ransoms Built on Unpatched Cisco ASA

Threat Intelligence

Akira's growth from late 2023 through 2024 has one consistent root cause: VPN appliances without MFA. The crew did not need novel tooling. It needed your perimeter.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 12, 2024 · 8 min read

Akira ransomware made $42M in its first year of operations according to a joint CISA, FBI, EC3, and NCSC-NL advisory issued in April 2024. The number is striking. The TTP enabling it is almost embarrassing: enterprise VPN appliances exposed to the internet without multi-factor authentication.

Actor Profile

Akira surfaced in March 2023 with a retro green-on-black leak site that pulled aesthetic cues from 1980s terminals. The crew operates as a closed group rather than a broad RaaS. Technical and code-level overlap with the now-defunct Conti operation suggests former Conti members are involved. Two variants are tracked: an original C++ build and a Rust-based 'Megazord' variant that emerged in mid-2023.

Attribution caveat: the Conti-overlap is based on code reuse and victim-network behavior. There is no public criminal attribution to specific individuals.

TTPs

Akira's initial access is dominated by one pattern. Once inside, the playbook is conventional but well-executed.

• Brute force and credential stuffing against Cisco ASA and FTD SSL VPN with no MFA (CVE-2023-20249)
• Exploitation of unpatched Fortinet, Veeam (CVE-2023-27532), and Cisco Anyconnect vulnerabilities
• Post-access: RDP, AnyDesk, Cloudflared tunnels for persistence (MITRE T1572)
• Credential dumping via Mimikatz and LaZagne, then Kerberoasting on domain accounts
• Backup destruction: targeted deletion of Veeam repositories, VMware snapshot wipes, BitLocker abuse to lock recovery
• Double extortion: data exfiltration via rclone and WinSCP, then encryption with ChaCha20+RSA

Notable Victims

More than 250 disclosed victims by the CISA advisory date, including Nissan Australia, Stanford University, Yamaha Motor Philippines, multiple US county governments, several K-12 school districts, healthcare networks across the US and EU, and a string of mid-market manufacturing firms. Healthcare and education are over-represented because MFA adoption in those sectors lags.

A VPN with valid credentials and no MFA is not a perimeter. It is a published API.

Detection Signals

Detection is dominated by VPN appliance log analytics and post-access behavior on Windows servers.

• Cisco ASA syslog showing successful auth followed by group-policy assignment to non-standard groups
• VPN logins from residential proxy ASNs or known TOR exit ranges
• Cloudflared tunnel binary execution on Windows servers
• vssadmin, wbadmin, or PowerShell Remove-VBRBackup-style commands against Veeam infrastructure
• Mass rename operations on file servers with .akira or .powerranges extensions

Defensive Controls

The CISA advisory's mitigations read like a 2018 hardening guide. That is the point. Akira is not exotic. It is unpatched.

1. Enforce phishing-resistant MFA on every VPN, Citrix, and remote access endpoint. No service account exceptions.
2. Patch Cisco ASA, FortiOS, Citrix NetScaler, and Ivanti Connect Secure within one week of vendor advisory. Subscribe to CISA KEV.
3. Move Veeam and other backup management out of the production AD trust. Separate admin credentials, MFA, and air-gapped offline copies.
4. Disable SMBv1 and restrict NTLM. Akira lateral movement leans heavily on legacy SMB.
5. Hunt for Cloudflared, ngrok, and other tunneling binaries on servers. Block at EDR and proxy layers unless explicitly authorized.

Akira is the cheap and effective ransomware operation. The crew does not invest in zero-days because it does not have to. As long as enterprise VPNs ship without enforced MFA and backup consoles share AD trust with production, Akira's $42M will keep growing.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.