← All Threat Actors
Threat Actor Profile

Akira

G1024 GOLD SAHARA Howling Scorpius PUNK SPIDER REDBIKE Storm-1567
▲ High Threat
[Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with [Conti](https://attack.mitre.org/software/S0575) ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)
Origin

Known TTPs

Exfiltration to Cloud Storage
Sharepoint
Account Access Removal
Domain Trust Discovery
Match Legitimate Resource Name or Location
Valid Accounts
Steal or Forge Kerberos Tickets
Remote System Discovery
Remote Desktop Protocol
PowerShell
Financial Theft
Data Encrypted for Impact
External Remote Services
Binary Padding
Disable or Modify Tools
Remote Access Tools
Archive via Utility

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD