Akira Ransomware Surges Through the Targeting of VPNs 

IronGate has observed a marked rise in Akira ransomware incidents across multiple industries, echoing recent public reporting. Adversaries are actively exploiting SonicWall SSL VPN vulnerabilities, most notably CVE-2024-40766, to gain initial access. Their campaigns align with Akira’s well-documented tactics: credential compromise, double extortion, and multi-platform ransomware deployment. 

Threat Actor Profile: Akira Ransomware 

• First Seen: March 2023 
• Type: Ransomware-as-a-Service (RaaS) 
• Target Platforms: Windows, Linux, VMware ESXi 
• Encryption Extensions: .akira, .powerranges, .akiranew 
• Ransom Notes: akira_readme.txt, powerranges.txt 
• Extortion Model: Double extortion (data theft + encryption) 
• Known Affiliations: Suspected ties to the Conti ransomware gang 

Attack Lifecycle 

Initial Access 

• Exploit public-facing apps including unpatched VPNs (Cisco CVE-2023-20269, SonicWall CVE-2024-40766) 

• Valid accounts / compromised credentials 

• Spearphishing  

Persistence & Privilege Escalation 

• Domain account creation 
• Credential dumping using Mimikatz and  LaZagne 

Lateral Movement & Discovery 

• Network scanners (SoftPerfect, Advanced IP Scanner) 
• Remote access tools (AnyDesk, RustDesk) 

Exfiltration & Impact 

• File transfer tools (FileZilla, WinSCP, Rclone) 

• Shadow copy deletion 

• Data leak site for public shaming  

Observed Attack Flow 

1. Brute-force or credential stuffing against SSL VPN 
2. Privilege escalation via misconfigured LDAP groups 
3. Remote access setup (RustDesk, AdaptixC2) 
   

Recommended Mitigations  

• Keep systems up to date 
  Regularly apply patches and updates, especially to firewalls, VPNs, and remote access tools, to close known vulnerabilities. Immediately apply patches for CVE-2024-40766 and CVE-2023-20269. Be sure to test the patches were applied correctly. 

• Use Multi-Factor Authentication (MFA) 
  Require MFA for VPN, email, and remote logins. Favor authenticator apps or hardware tokens over SMS. 

• Practice good password hygiene 
  Remove inactive accounts, enforce strong passwords, rotate credentials regularly, and monitor for repeated failed login attempts. 

• Limit attacker movement 
  Segment networks so sensitive systems are isolated, and use Endpoint Detection & Response (EDR) tools to spot and stop unusual activity. 

• Protect and test backups 
  Keep multiple backups (offline, cloud, local), store them securely away from the main network, and test restoration often to ensure reliability. 

• Conduct Regular Penetration Tests 
  Run penetration tests at least once a year to simulate real-world attacker behavior. This helps validate whether configurations, security controls, monitoring, and detection tools are working effectively — and reveals gaps before adversaries can exploit them. 

References 

• CISA Advisory: Akira Ransomware 

• HHS Analyst Note on Akira 

• The Hacker News: SonicWall Exploitation 
  
  

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.