Skip to main content
close search
site logo

Akira engaged in ransomware attacks against critical sectors

The group has stepped up threat activity by abusing edge devices and other tools, reaping hundreds of millions of dollars in illicit gains.

Published Nov. 13, 2025 Updated Nov. 14, 2025
David Jones's headshot
Reporter
The FBI seal
The FBI seal hangs in the Flag Room at the bureau's headquarters in Washington, D.C. FBI and Cybersecurity and Infrastructure Security Agency officials warned about recent threat activity from Akira ransomware targeting critical industry sectors. Chip Somodevilla via Getty Images

The FBI and Cybersecurity and Infrastructure Security Agency on Thursday warned that Akira ransomware is actively launching attacks against critical industries by exploiting vulnerabilities in edge devices and backup servers. 

Akira ransomware has been linked to a range of threat activity in recent months, including a surge in attacks targeting SonicWall firewall customers beginning in July. U.S. officials warned that Akira has been expanding a wide range of attacks dating up to this month and the hackers have been collaborating with other threat groups. 

“This group primarily attacks small, medium-sized businesses, but has also attacked larger organizations across several sectors,” Nick Andersen, executive assistant director for the Cybersecurity Division at CISA, told reporters during a Thursday conference call. 

The targets have also included manufacturing, education, healthcare, IT, financial and food and agricultural companies.

As of September, the group has claimed more than $244 million in proceeds from these attacks, Brett Leatherman, assistant director of the FBI Cyber Division, said.

The group has targeted VPNs, including SonicWall products, by either stealing credentials or exploiting vulnerabilities like CVE-2024-40766, according to an updated advisory from the FBI and CISA. 

Earlier this year the group gained access through a VPN that did not have multifactor authentication. The group has exploited vulnerabilities in Cisco products, including CVE-2020-3259 and CVE-2023-20269.

During a June attack, Akira hackers for the first time encrypted Nutanix AHV VM disk files. This went beyond prior activity where VMware ESXi and Hyper-V were involved.  

The group has abused remote access tools like AnyDesk or LogMeIn, in order to maintain persistence inside a system. 

Akira has used a double extortion method to encrypt data and threaten to leak the data on their Tor network, according to the advisory.

In the past 90 days, 149 victims have been linked to Akira ransomware attacks, according to an analysis by researchers at Sophos X-Ops. The company’s Incident response and MDR teams have provided support in connection with multiple ransomware attacks linked to Akira.

“The group continues to rely on compromised credentials, exploit the recent SonicWall VPN vulnerability, and abuse RDP access,” Alexandra Rose, director, Sophos Counter Threat Unit told Cybersecurity Dive.

Companies need to implement prompt patching and phishing resistant multifactor authentication as well as closely monitor networks and endpoints. 

Manufacturing, legal/professional and construction/engineering have been the top sectors targeted by Akira, according to Google Threat Intelligence Group. However in the past month the number of attacks targeting construction have increased.

Editor’s note: Updates with comments from Sophos and Google Threat Intelligence Group.

Editors' picks

Company Announcements

View all | Post a press release
Flash Renews HITRUST Certification
From Flash
December 17, 2025
Flash logo
BeyondTrust and Ping Identity Partner to Deliver Unified Identity Security Fabric
From BeyondTrust
December 09, 2025
BeyondTrust logo
Cellebrite Completes Acquisition of Corellium, Extending the Industry’s Most AdvancedAI-Powere…
From Cellebrite
December 10, 2025
Inventor Secures Patent for Real-Time Agile Quantum Resilient AES GCM
From LabCyfer
December 10, 2025
LabCyfer logo
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.