Was ist Akira Ransomware?

Akira ist eine Ransomware-as-a-Service (RaaS), die seit 2023 aktiv ist und gezielt kleine bis mittlere Unternehmen weltweit angreift.

Was soll ich tun, wenn ich betroffen bin?

Kontaktieren Sie sofort unser Computer Emergency Response Team über dfir@mh-service.de oder telefonisch unter +49 211 8797446742. Wir helfen rund um die Uhr.

Akira Ransomware Analysis 2025

General Information

First observed: March 2023
Model: Ransomware-as-a-Service (RaaS)
Linked to: Former Conti members
Number of victims: Over 250–350 worldwide
Targeted sectors: SMEs, Education, Manufacturing, Infrastructure
Typical ransom demands: USD 200,000 – 4 million

File Extensions & Ransom Note

.akira – extension of encrypted files
akira_readme.txt – ransom note

File Hashes

SHA-256: 3b7fc61649badd73986a86d39124b69aa2c7b6ecdb1d448137080579dc4990f2

IOCs – Suspicious Commands & Files

        
Console or PowerShell History:
  reg add "HKLM\...\UserList" /v User /d 0 /f
  reg add "HKLM\...\Terminal Server" /v fDenyTSConnections /d 0 /f
  powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" **Deletes Volume Shadowcopy
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v [USER] /d 0 /f 1 **Hide user accounts
  [C:\ProgramData\]cloudflared.exe tunnel run --token REDACTED **Creates tunnel for remote access
Filename:
  w.exe **Filename of deployed ransomware
  cloudflared.exe **Remote access tool, often stored in hidden folders like ProgramData
Hash:
  SHA-256: 3b7fc61649badd73986a86d39124b69aa2c7b6ecdb1d448137080579dc4990f2 **w.exe

Network Indicators

Additional Akira ransomware IOCs can be found in the official advisory from CISA, FBI, Europol, and NCSC-NL:

CISA Advisory AA24-109A – Akira Ransomware Indicators of Compromise

External IP: 202.175.136[.]197
Hostname: api.playanext[.]com
AnyDesk User Agent: AnyDesk/7.1.11
Cloudflared Command: cloudflared.exe tunnel run --token
Leak Site: akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
Chat Site: akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

MITRE ATT&CK Mapping

Akira Ransomware Detection

Initial Access: T1078 – Valid Accounts (e.g., VPN without MFA), T1133 – External Remote Services
Execution: T1059 – Command and Scripting Interpreter (PowerShell)
Persistence: T1547 – Boot or Logon Autostart Execution
Privilege Escalation: T1068 – Exploitation for Privilege Escalation
Defense Evasion: T1562 – Impair Defenses (AV killer, delete shadow copies)
Credential Access: T1003 – OS Credential Dumping (Mimikatz, LaZagne)
Discovery: T1087 – Account Discovery, T1018 – Remote System Discovery
Lateral Movement: T1021 – Remote Services (RDP, SMB)
Collection: T1119 – Automated Collection
Exfiltration: T1041 – Exfiltration Over C2 Channel (e.g., Rclone, FileZilla)
Impact: T1486 – Data Encrypted for Impact, T1490 – Inhibit System Recovery

External Analyses & Threat Profiles

Ransomnote - Example A

Akira ransomware ransom note


Hi friends,
Whatever who you are and what your title is, if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

ATTENTION! Strictly prohibited:

- Deleting files with .arika extension;
- Replacing or renaming .arika and .akira files;
- Using third party software to recover your systems.

If you violate these rules, we cannot guarantee a successful recovery.

Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining you financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of the deal.

2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidentally corrupt them - in this case we won't be able to help.

3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and use in order to get into, identify backup solutions and download your data.

4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at once. Then all of this will be published in our blog - akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion.

5. We're more than negotiable and will definitely find a way to settle this quickly and reach an agreement which will satisfy both of us.

If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - torproject[.]org/download/.
2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/[snip] .
3. Use this code - [snip] - to log into our chat.

Keep in mind that the faster you will get in touch, the less damage we cause.

Ransomnote - Example B


Hi friends,

Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.

2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.

3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.

4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.

5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.

If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/.
2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.
3. Use this code - [snip] - to log into our chat.

Keep in mind that the faster you will get in touch, the less damage we cause.

Suspicious Accounts & Activities

Admin account: itadm
Password: Noface66Nocase!
Workstation: WIN-JGRMF8L11HO

How can you protect yourself from an attack?

How to detect an Akira ransomware attack?

Even simple technical and organizational measures can significantly increase resilience against attacks. We are happy to analyze your current risk exposure together with you and provide individual recommendations. The following points represent proven baseline measures that already offer substantial value for your IT security in many cases.

Monitor unusual login activity: Watch out for abnormal spikes in failed login attempts or authentication requests.
Enable Multi-Factor Authentication (MFA): Activate MFA for all externally accessible systems, especially VPN and RDP.
Use geofencing: Block connections from countries or IP ranges that are unrelated to your business operations.
Regular updates & patching: Keep your software—especially public-facing services—up to date at all times.

What decryption options are available?

Can the data be restored without payment?

For older variants of Akira ransomware, there are indeed promising approaches to restore encrypted data. In the past, decryption tools have been released repeatedly, enabling victims to recover their files without paying ransom. Therefore, we generally recommend securely archiving and retaining affected data first. Experience shows that new decryption opportunities arise over time. For current versions of modern ransomware, however, it is usually not possible to immediately make the data readable again.

Decryption options for Akira ransomware

Depending on the version of Akira ransomware, the chances of successful decryption vary. Below is an overview of known approaches—from early variants to current developments. If you are affected by Akira ransomware and are unsure whether decryption is possible in your case, please do not hesitate to contact us for a free initial consultation.

1. Early variants (until summer 2023)

Free Avast Decryptor, released on June 29, 2023.
Requires at least one file pair (encrypted file + original version).
Supports Windows natively, Linux via WINE.
Useful for classic “.akira” samples, but not for later generations.

2. Newer variants (from August 2023)

Introduction of Rust-based versions (“Megazord”, “Akira_v2”).
File extensions such as .powerranges.
The gaps exploited by the Avast Decryptor were closed—no free decryptor available.

3. Temporary decryptions (2024)

Some incident response teams were able to decrypt specific builds.
However, no publicly available tools were released.

4. GPU-based approach (2025, for Linux/ESXi)

Published by security researchers for specific 2024 Linux/ESXi builds.
Uses GPU brute force against keys derived from timestamps.
Only feasible with relevant log data and a limited key search space.
Not a universal tool for all Akira variants.

5. Current situation (2025)

Available: Avast Decryptor (for older Windows versions) and GPU brute force (for specific Linux variants).
Not available: General decryption tools for current Windows and Linux builds.
Recommendation: Securely archive data—new options have emerged in the past.

Akira Ransomware - Threats, Tactics & Protection Measures

🛡️ Immediate Help with Akira