TI News Feed · Threat Intelligence Guides

Akira Ransomware: Threat Actor Profile

Akira moved from mid-tier brand to top-earning extortion actor remarkably fast, generating roughly $244M in proceeds by late 2025 by exploiting VPNs and encrypting ESXi. A full threat-actor profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Akira moved from a mid-tier ransomware brand to a top-earning extortion actor remarkably quickly. By late September 2025, CISA and the FBI said Akira had generated approximately $244.17 million in ransomware proceeds. MITRE ATT&CK now tracks multiple Akira variants, including Rust-based versions for VMware ESXi.

Akira: at a glance

  • Aliases: Akira, Akira_v2, Megazord (overlaps in ATT&CK software tracking)
  • Country / affiliation: Unattributed criminal ecosystem, generally Russian-speaking affiliate space
  • Assessed status (as of July 2026): Active
  • Primary objectives: Double-extortion ransomware against enterprises and critical infrastructure
  • Financial destruction / gain: ~$244.17 million in ransomware proceeds by late September 2025, per CISA and the FBI
  • Type: ransomware-as-a-service (RaaS) (double extortion)

Who is Akira?

As of 2026 there is no serious ambiguity about status: Akira is still active and still financially significant, favoring VPN and remote-access weaknesses for initial access and aggressively targeting small and mid-sized enterprises with weaker defenses.

Aliases and attribution

Akira operates in the unattributed, generally Russian-speaking affiliate space; ATT&CK notes overlaps with the earlier Megazord ransomware and possible lineage links to the defunct Conti ecosystem. Its consistent tradecraft — VPN-based access, credential theft, then rapid encryption — makes it recognizable even without firm named cyber attribution.

Financial impact and damage

CISA and the FBI put Akira's proceeds at roughly $244 million by late September 2025, including about $150 million during 2025 alone. Its high-volume targeting of small and mid-sized organizations — often via unpatched or MFA-less VPNs — has made it one of the most consistently active ransomware operations of the mid-2020s and a significant contributor to global ransomware statistics.

Akira timeline

  • 2023: Akira activity becomes visible
  • 2024: ATT&CK software tracking expands; CISA #StopRansomware advisory issued
  • 2025: CISA updates total proceeds to ~$244.17M
  • 2026: Group remains active and financially significant

Notable attacks and campaigns

Akira frequently gains entry through VPNs lacking multi-factor authentication, then steals credentials and moves laterally before encrypting with ChaCha-based algorithms. Its Rust-based ESXi variants can encrypt virtualization hosts, maximizing impact. The group's leak site and steady victim cadence keep it prominent in ransomware statistics.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1059.001 — PowerShell: Akira executes PowerShell to delete shadow copies. Alert on PowerShell invoking recovery-artifact deletion or backup impairment.
  • T1486 — Data Encrypted for Impact: Akira uses ChaCha20 and ChaCha8 to encrypt Windows and ESXi filesystems. Watch for multi-threaded high-entropy file writes across Windows and ESXi hosts.
  • T1083 — File and Directory Discovery: Akira performs pre-impact file discovery. Alert on broad, recursive enumeration across shares and backup paths.

Detection and defense against Akira

Akira's entry point is almost always a weak VPN, so identity hardening at the edge is the single best defense:

  • Require MFA on all VPN and remote-access gateways and patch them promptly.
  • Alert on PowerShell invoking shadow-copy deletion or backup impairment.
  • Harden and isolate VMware ESXi hosts against Rust-based encryptors.
  • Watch for broad recursive file enumeration across shares and backup paths.
  • Protect backups offline and monitor for high-entropy multi-threaded file writes.

The bottom line

Akira is proof that ransomware's biggest earners are not always the flashiest — its disciplined VPN-to-ESXi playbook made it a $244M operation and one of the most active crews of 2026. See how Akira ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is Akira ransomware?

Akira is a financially motivated ransomware operation active since 2023, known for double-extortion attacks that often begin by exploiting VPNs without multi-factor authentication and can encrypt VMware ESXi hosts.

How much has Akira made?

CISA and the FBI estimated Akira's proceeds at approximately $244.17 million by late September 2025, including around $150 million during 2025.

How does Akira get in?

Akira frequently gains initial access through VPN and remote-access services that lack multi-factor authentication, then steals credentials and moves laterally before encrypting.

Is Akira still active in 2026?

Yes. Akira remains active and financially significant, with ongoing attacks against small and mid-sized enterprises and critical infrastructure.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: