Akira Ransomware Updated with New Tactics and Defense Strategies

The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with international authorities, issued an updated advisory on the Akira ransomware in November 2025. The report outlines the program's continued evolution since 2023, including new variants, expanded targeting, and newly observed attack techniques.

Akira ransomware has matured into a significant Ransomware-as-a-Service (RaaS) operation, linked to several known cybercriminal groups. The ransomware utilizes multiple encryption variants for Windows, Linux, and virtual environments. Estimates suggest Akira has extorted approximately $244 million from victims across North America, Europe, and Australia.

Attackers frequently exploit vulnerabilities in publicly facing applications, particularly in VPN appliances and backup solutions. The advisory lists several identified CVE vulnerabilities that have been used to gain system access, including specific Cisco VPN vulnerabilities, as well as flaws in Veeam Backup & Replication and SonicWall VPN products.

Furthermore, Akira actors employ various reconnaissance tactics, gathering information on system time and local drives. This intelligence helps attackers timestamp files, evade security checks, or plan their encryption routines more effectively. Organizations must continuously identify and counter these evolving techniques.