Is Akira still active?

Yes. Akira continues to be one of the most active ransomware groups affecting SMBs and healthcare practices.

What's the most important control to prevent Akira initial access?

MFA on VPN, RDP, and M365 access, combined with prompt patching of internet-facing remote-access appliances. Most Akira initial access comes from credentials and unpatched VPNs.

Should I pay the ransom if I'm hit?

Engage incident-response professionals immediately. Payment decisions involve legal, regulatory, and operational factors beyond the scope of a definition page. ThreeShield offers Tier 3 augmentation for MSPs handling active incidents.

What is Akira ransomware? Definition, components, and why it matters

Definition

Akira emerged in March 2023 and has grown rapidly. The group operates as a ransomware-as-a-service (RaaS) operation with affiliates conducting many of the actual intrusions. Targeting patterns favour small-to-medium organisations that are likely to pay ransom rather than face prolonged downtime.

Initial access patterns documented in Akira incidents include unpatched Cisco ASA and Cisco AnyConnect VPN appliances, credential-stuffing against VPN portals lacking MFA, and — increasingly — phishing combined with M365 / Entra ID compromise.

Post-compromise behaviour includes Mimikatz-class credential dumping, ADRecon / SoftPerfect Network Scanner reconnaissance, lateral movement via PsExec / WMI / RDP, deletion of Volume Shadow Copies, and targeting of backup systems before deploying encryption. Encryption uses ChaCha20 with RSA-protected keys; encrypted files receive a `.akira` extension.

Healthcare practices, accounting firms, and small manufacturers are over-represented in Akira victim lists. Canadian healthcare and accounting firms specifically have appeared multiple times in 2024–2026.

Core components

Initial access vectors. Unpatched Cisco ASA / AnyConnect VPN, credential stuffing without MFA, phishing into M365.
Reconnaissance and credential dumping. Mimikatz-class tooling, ADRecon, SoftPerfect Network Scanner, net.exe, whoami.exe with privileged context.
Lateral movement. PsExec, WMI, Remote Desktop, exploitation of cached credentials.
Backup destruction. Targeted deletion of Volume Shadow Copies and tampering with backup systems prior to encryption.
Encryption. ChaCha20 with RSA-protected keys; `.akira` file extension.
Double extortion. Data exfiltration before encryption; ransom demand combines decryption fee with threat of data publication on Akira leak site.

Why it matters

Akira specifically targets organisations of the size most MSPs serve. SMBs, healthcare practices, accounting firms, and small manufacturers are in the wheelhouse — they have valuable data, can't absorb prolonged downtime, and may not have mature security programmes.

For MSPs, an Akira incident is a worst-case scenario: the customer's network is encrypted, backups may be destroyed, decryption is uncertain, and the regulatory consequences (HIPAA breach notification, PIPEDA / Alberta HIA / BC HIA notification, state privacy laws) follow even if the ransom is paid.

The valuable detection window is the staging phase — reconnaissance, credential dumping, lateral movement, backup tampering — not the encryption itself. By encryption, it is far too late.

How Lavawall® helps with Akira ransomware

Lavawall® includes a dedicated Akira ransomware indicator hunter that matches against known Akira tooling, file paths, registry keys, and behaviour patterns observed in actual Akira incident response. Detection runs continuously across Windows, macOS, and Linux endpoints.

Behavioural staging detection covers Mimikatz-class credential dumping, reconnaissance commands (net.exe, whoami.exe, ADRecon-class activity), lateral movement (PsExec-class activity), and backup-destruction attempts. The aim is detection during staging, not after encryption.

Multi-tenant ITDR correlates endpoint signals with M365 / Entra ID activity to catch the credential-phishing-then-pivot pattern Akira increasingly uses. Configuration assessment surfaces the unpatched Cisco VPN and missing-MFA conditions Akira exploits for initial access. Lavawall® coexists with Defender, Huntress, Sophos, SentinelOne, and CrowdStrike and surfaces their state alongside its own findings.

Frequently asked

Is Akira still active?: Yes. Akira continues to be one of the most active ransomware groups affecting SMBs and healthcare practices.
What's the most important control to prevent Akira initial access?: MFA on VPN, RDP, and M365 access, combined with prompt patching of internet-facing remote-access appliances. Most Akira initial access comes from credentials and unpatched VPNs.
Should I pay the ransom if I'm hit?: Engage incident-response professionals immediately. Payment decisions involve legal, regulatory, and operational factors beyond the scope of a definition page. ThreeShield offers Tier 3 augmentation for MSPs handling active incidents.