The Akira ransomware group has successfully accumulated over $244 million in illicit proceeds, according to blockchain analysis firm Chainalysis. This figure highlights the significant financial scale of the group’s cybercriminal operations. Further research conducted by Arctic Wolf in collaboration with Chainalysis has identified more than 360 victims linked to the ransomware gang’s activities.

Joint International Advisory on Akira’s Operations

In a coordinated effort, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) issued a joint advisory concerning the Akira ransomware. The advisory states that since March 2023, the group has impacted over 250 organizations and collected approximately $42 million in ransom payments. The attacks have targeted a wide range of businesses and critical infrastructure entities across North America, Europe, and Australia.

Attack Methods and Technical Details

The Akira ransomware operators are known to gain initial access to victim networks primarily by exploiting known vulnerabilities in Cisco products, including Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. After breaching a network, the group employs a double-extortion tactic. They first exfiltrate sensitive data and then encrypt the victim’s systems. The threat actors then demand a ransom payment, threatening to publish the stolen data on the dark web if their demands are not met. The joint advisory also noted the use of tools like AnyDesk, WinRAR, and PCHunter during their attacks.