✉️info@mh-service.de | 📞+49 (7275) 9692381
Contact DE EN
24/7 Incident Response Hotline

Akira Ransomware Incident Response & Technical Analysis (2025)

If your organisation is hit by Akira ransomware, every minute counts. Our senior DFIR team supports you with ransomware containment, forensics, decryption options and secure recovery – based on more than 10 years of hands-on ransomware incident experience.

Call 24/7 Hotline Request Incident Response Support
10+ years ransomware recovery EU-based digital forensics & IR team Akira, Qilin, LockBit, BlackCat & more
First observed
March 2023
Model
Ransomware-as-a-Service (RaaS)
Victims
Estimated 250–350+ worldwide
Ransom range
~200,000 – 4 million USD

What we do in the first 72 hours of an Akira incident

The first days of an Akira ransomware attack are critical. Our structured playbook, based on real Akira cases, helps you stabilise operations, preserve evidence and prepare for secure recovery and potential decryption options.

Hour 0–4

Rapid triage & containment

We assess scope and impact, identify Akira artefacts and guide you through safe isolation of affected systems (on-prem and cloud) – without wiping or rebuilding servers prematurely. The goal: stop further encryption and exfiltration while preserving forensic evidence.

Hour 4–24

Forensic acquisition & attacker analysis

Collection of system images, logs and volatile data from key servers and endpoints. We identify Akira’s toolset (e.g. AnyDesk, cloudflared), persistence mechanisms, exfiltration channels and privileged accounts used by the attackers.

Day 2–3

Recovery plan, decryption options & decision support

We design a phased recovery plan, including options with and without paying a ransom (e.g. backups, decryptors for older variants, targeted file restoration) and provide input for executive, legal and communication teams. Where appropriate, we coordinate with law enforcement and regulators.

Already negotiating with Akira?

Many victims are already in contact with Akira operators when they call us. We help you:

  • Validate attacker claims about stolen data and access
  • Understand technical impact of paying vs. not paying
  • Coordinate negotiations with legal, insurance and management

Even if you are “late” in the incident, external experts can significantly reduce downtime and long-term risk – especially around data-leak handling, regulatory reporting and future resilience.

Beyond emergency response, we help you make your environment more secure and resilient against future ransomware attacks – from hardening Active Directory and remote access to backup strategy and monitoring.

Screenshot of the Akira ransomware leak site on the dark web
Example of the Akira ransomware leak site on the dark web (customer data anonymised).

Akira ransomware at a glance

Below is a brief technical profile of Akira ransomware. Indicators of compromise (IOCs) are for reference only – do not rely on static indicators alone for detection.

General information

  • First seen: March 2023
  • Model: Ransomware-as-a-Service (RaaS)
  • Links to: former Conti members (according to threat intel)
  • Typical victims: SMBs, education, manufacturing, infrastructure
  • Ransom range: ~200,000 – 4 million USD

Akira has evolved over time with Windows and Linux/ESXi variants and frequent changes to tooling, infrastructure and negotiation style.

# Example commands, filenames & artefacts observed in Akira campaigns Console / PowerShell history (selection): reg add "HKLM\...\UserList" /v <user> /d 0 /f reg add "HKLM\...\Terminal Server" /v fDenyTSConnections /d 0 /f powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" ^ /t REG_DWORD /v [USER] /d 0 /f C:\ProgramData\cloudflared.exe tunnel run --token <REDACTED> Filenames: w.exe # Akira payload observed in multiple incidents cloudflared.exe # Remote access tunnel, often stored in ProgramData or hidden folders Example hash (SHA-256): 3b7fc61649badd73986a86d39124b69aa2c7b6ecdb1d448137080579dc4990f2 (w.exe)

Additional Akira IOCs are published in the joint CISA/FBI/Europol/NCSC-NL advisory AA24-109A. We combine such public intelligence with case-driven indicators from our own investigations.

File extensions, ransom note & network indicators

File extensions & ransom note

  • .akira – extension of encrypted files (classical Windows builds)
  • akira_readme.txt – ransom note dropped in affected directories

Example network indicators

Additional and current IOCs can be found in CISA Advisory AA24-109A.

  • External IP: 202.175.136[.]197
  • Hostname: api.playanext[.]com
  • AnyDesk User Agent: AnyDesk/7.1.11
  • Cloudflared command: cloudflared.exe tunnel run --token
  • Leak site (Tor): akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
  • Chat site (Tor): akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

MITRE ATT&CK mapping (selection)

  • Initial Access: T1078 Valid Accounts (VPN without MFA), T1133 External Remote Services
  • Execution: T1059 Command and Scripting Interpreter (PowerShell)
  • Persistence: T1547 Boot or Logon Autostart Execution
  • Privilege Escalation: T1068 Exploitation for Privilege Escalation
  • Defense Evasion: T1562 Impair Defenses (AV killer, shadow copies removal)
  • Credential Access: T1003 OS Credential Dumping (e.g. Mimikatz, LaZagne)
  • Discovery: T1087 Account Discovery, T1018 Remote System Discovery
  • Lateral Movement: T1021 Remote Services (RDP, SMB)
  • Collection: T1119 Automated Collection
  • Exfiltration: T1041 Exfiltration over C2 Channel (e.g. Rclone, FileZilla)
  • Impact: T1486 Data Encrypted for Impact, T1490 Inhibit System Recovery

Ransom note examples (for reference)

The following examples are provided for forensic and training purposes only. Do not execute or reuse any links or codes contained within them.

Akira ransomware ransom note – sample A

Hi friends,
Whatever who you are and what your title is, if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

ATTENTION! Strictly prohibited:

- Deleting files with .arika extension;
- Replacing or renaming .arika and .akira files;
- Using third party software to recover your systems.

If you violate these rules, we cannot guarantee a successful recovery.

Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining you financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of the deal.

2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidentally corrupt them - in this case we won't be able to help.

3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and use in order to get into, identify backup solutions and download your data.

4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at once. Then all of this will be published in our blog - akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion.

5. We're more than negotiable and will definitely find a way to settle this quickly and reach an agreement which will satisfy both of us.

If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - torproject[.]org/download/.
2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/[snip] .
3. Use this code - [snip] - to log into our chat.

Keep in mind that the faster you will get in touch, the less damage we cause.

Akira ransomware ransom note – sample B

Hi friends,

Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.

2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.

3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.

4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.

5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.

If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/.
2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.
3. Use this code - [snip] - to log into our chat.

Keep in mind that the faster you will get in touch, the less damage we cause.

Suspicious accounts & activities (example)

The following artefacts are illustrative and may not appear in every Akira case, but similar patterns should trigger closer investigation:

  • Admin account: itadm
  • Password example: Noface66Nocase!
  • Workstation: WIN-JGRMF8L11HO

How to detect and protect against Akira ransomware

Detection signals

Even basic technical and organisational measures can significantly increase resilience to Akira and similar groups. The following signals should be monitored closely:

  • Unusual login activity: spikes in failed logins, access from unusual locations, or logins at odd times.
  • Remote access tools: unexpected AnyDesk, cloudflared or RDP usage, especially on servers.
  • Shadow copy deletion: PowerShell or WMI commands removing shadow copies or backups.
  • New admin accounts: creation of privileged accounts or changes to “hidden” user lists.

Recommended hardening & prevention

  • Multi-factor authentication (MFA): enforce MFA for all external access (VPN, RDP, remote management portals).
  • Geofencing: block connections from countries or IP ranges that have no business relevance.
  • Patch management: keep public-facing services, VPN gateways and remote access tools fully patched.
  • Least privilege: reduce privileges for service accounts and admin users wherever possible.
  • Segmentation & backups: segment critical systems, maintain offline/immutable backups and test restore regularly.

Decryption options & data recovery for Akira

Are your files recoverable without paying?

For older Akira variants there have been promising approaches for recovering encrypted data – including publicly released decryptors. For current versions of modern ransomware, however, decryption without the attackers’ keys is often not immediately feasible.

We generally recommend archiving affected data securely: experience shows that new decryption possibilities sometimes emerge over time.

Overview of known decryption approaches

1. Early variants (up to summer 2023)

  • Free Avast decryptor released on 29 June 2023.
  • Requires at least one file pair (encrypted file + original version).
  • Supports Windows natively; on Linux via WINE.
  • Useful for classic “.akira” samples, not for later generations.

2. Newer variants (from August 2023)

  • Use of Rust-based builds (e.g. “Megazord”, “Akira_v2”).
  • New file extensions such as .powerranges.
  • The weaknesses exploited by the Avast decryptor have been fixed – no public free decryptor available.

3. Temporary decryptions (2024)

  • Individual incident response teams managed to decrypt certain builds.
  • No generally available tools published for broad use.

4. GPU-based approach (2025, Linux/ESXi)

  • Research-based GPU brute force for specific 2024 Linux/ESXi builds.
  • Targets keys derived from timestamp-based values.
  • Only practical with suitable logs and a constrained search space.
  • No universal tool for all Akira variants.

5. Current situation (2025)

  • Available: Avast decryptor (older Windows variants) and niche GPU-based approaches for certain Linux builds.
  • Not available: generic decryptors for current Windows and Linux variants.
  • Recommendation: archive encrypted data securely; assess recovery options on a case-by-case basis.
Important: If you suspect an Akira compromise, avoid deleting encrypted data or formatting systems before a specialist has reviewed potential decryption options and backup integrity. In some cases, careful evidence preservation and key collection (e.g. from memory) can make the difference.

External analyses & related ransomware groups

Frequently asked questions about Akira

An Akira incident raises legal, technical and business questions. Below are a few we often hear in the first call.

“Do we have to pay the ransom to recover?”

Not necessarily. In some cases, recovery from backups or partial decryptors is feasible without paying. In others, the business impact, data exfiltration and legal requirements must be carefully weighed. We help you analyse options and their technical feasibility.

“We already paid – can you still help?”

Yes. We support organisations that have already paid or started negotiating – e.g. by validating decryptors, ensuring secure rebuild, and handling data leaks, regulators and communication with stakeholders.

“How quickly can you start?”

For active incidents, we aim to schedule an initial remote triage call very quickly once you contact our hotline or send an email. On-site presence can be arranged depending on location and urgency.

“Is our call confidential?”

Absolutely. All conversations and artefacts are treated as confidential. We can sign NDAs and work under legal privilege via your counsel if required.

How we can support you in an Akira case

As a specialised DFIR team, we help organisations handle Akira incidents in a structured, risk-based way:

  • Remote discovery & pre-assessment: identify affected systems (on-prem/cloud), Akira artefacts and initial attack paths.
  • Forensics & timeline reconstruction: collect and analyse logs, images and memory to understand what happened and when.
  • Patching & hardening: close gaps (VPN, RDP, remote tools), improve monitoring and implement segmented recovery.
  • Decryption & recovery strategy: evaluate decryptor options, backups and phased restore concepts.

Next steps for affected organisations

  1. Short scoping call: which systems are affected, what is currently offline, which data is at risk?
  2. Provide basic information (infrastructure, backups, remote access, logging/monitoring status).
  3. Jointly define priorities and a 24–72 hour plan for containment, forensics and recovery.

On request, we can provide lightweight checklists and templates for internal communication, regulator notifications and board reporting regarding Akira and similar ransomware incidents.