Akira Ransomware Surges Through the Targeting of VPNs 

IronGate has observed a marked rise in Akira ransomware incidents across multiple industries, echoing recent public reporting. Adversaries are actively exploiting SonicWall SSL VPN vulnerabilities, most notably CVE-2024-40766, to gain initial access. Their campaigns align with Akira’s well-documented tactics: credential compromise, double extortion, and multi-platform ransomware deployment. 

Threat Actor Profile: Akira Ransomware 

• First Seen: March 2023 
• Type: Ransomware-as-a-Service (RaaS) 
• Target Platforms: Windows, Linux, VMware ESXi 
• Encryption Extensions: .akira, .powerranges, .akiranew 
• Ransom Notes: akira_readme.txt, powerranges.txt 
• Extortion Model: Double extortion (data theft + encryption) 
• Known Affiliations: Suspected ties to the Conti ransomware gang 

Attack Lifecycle 

ExClop campaigns reveal a deep understanding of Microsoft’s cloud ecosystem, employing multiple techniques in parallel: 

Initial Access 

• Exploit public-facing apps including unpatched VPNs (Cisco CVE-2023-20269, SonicWall CVE-2024-40766) 

• Valid accounts / compromised credentials 

• Spearphishing  

Persistence & Privilege Escalation 

• Domain account creation 
• Credential dumping using Mimikatz and  LaZagne 

Lateral Movement & Discovery 

• Network scanners (SoftPerfect, Advanced IP Scanner) 
• Remote access tools (AnyDesk, RustDesk) 

Exfiltration & Impact 

• File transfer tools (FileZilla, WinSCP, Rclone) 

• Shadow copy deletion 

• Data leak site for public shaming  

Observed Attack Flow 

1. Brute-force or credential stuffing against SSL VPN 
2. Privilege escalation via misconfigured LDAP groups 
3. Remote access setup (RustDesk, AdaptixC2) 

References 

• CISA Advisory: Akira Ransomware 

• HHS Analyst Note on Akira 

• The Hacker News: SonicWall Exploitation 
  
  

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.