Akira Ransomware Surges Through the Targeting of VPNs 

IronGate has observed a marked rise in Akira ransomware incidents across multiple industries, echoing recent public reporting. Adversaries are actively exploiting SonicWall SSL VPN vulnerabilities, most notably CVE-2024-40766, to gain initial access. Their campaigns align with Akira’s well-documented tactics: credential compromise, double extortion, and multi-platform ransomware deployment. 

Threat Actor Profile: Akira Ransomware 

• First Seen: March 2023 
• Type: Ransomware-as-a-Service (RaaS) 
• Target Platforms: Windows, Linux, VMware ESXi 
• Encryption Extensions: .akira, .powerranges, .akiranew 
• Ransom Notes: akira_readme.txt, powerranges.txt 
• Extortion Model: Double extortion (data theft + encryption) 
• Known Affiliations: Suspected ties to the Conti ransomware gang 

Attack Lifecycle 

ExClop campaigns reveal a deep understanding of Microsoft’s cloud ecosystem, employing multiple techniques in parallel: 

Initial Access 

• Exploit public-facing apps including unpatched VPNs (Cisco CVE-2023-20269, SonicWall CVE-2024-40766) 

• Valid accounts / compromised credentials 

• Spearphishing  

Persistence & Privilege Escalation 

• Domain account creation 
• Credential dumping using Mimikatz and  LaZagne 

Lateral Movement & Discovery 

• Network scanners (SoftPerfect, Advanced IP Scanner) 
• Remote access tools (AnyDesk, RustDesk) 

Exfiltration & Impact 

• File transfer tools (FileZilla, WinSCP, Rclone) 

• Shadow copy deletion 

• Data leak site for public shaming  

Observed Attack Flow 

1. Brute-force or credential stuffing against SSL VPN 
2. Privilege escalation via misconfigured LDAP groups 
3. Remote access setup (RustDesk, AdaptixC2) 

References 

• CISA Advisory: Akira Ransomware 

• HHS Analyst Note on Akira 

• The Hacker News: SonicWall Exploitation 
  
  

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.