Akira Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: March 2023
Origin / attribution: Overlap with former Conti operators
Known aliases: Akira (Storm-1567), Megazord
Common initial access: Cisco ASA/VPN without MFA, SonicWall, compromised accounts
TTPs & tradecraft: C++ and Rust encryptors, ESXi targeting, stealthy credential theft with Rclone exfil.
Notes: FBI advisory AA24-109A details IoCs; MFA on VPN drops Akira's primary entry path.

publicTop countries hit

United States670

Canada68

Germany61

United Kingdom33

Italy32

Switzerland22

Australia18

Brazil18

factoryTop sectors targeted

Not Found354

Manufacturing243

Business Services167

Technology104

Construction78

Agriculture and Food Production62

Transportation/Logistics52

Financial Services50

historyRecent named victims

Law Offices of JamesC Shields

Business Services · 17 Apr 2026

Pharmathek

DE · Healthcare · 17 Apr 2026

R Roese Contracting

Construction · 17 Apr 2026

Truckload Carriers Association

US · Transportation/Logistics · 15 Apr 2026

CIR Realty

CA · Not Found · 15 Apr 2026

INDESMALLA

AR · Manufacturing · 15 Apr 2026

Fletcher Chrysler Products

Manufacturing · 15 Apr 2026

CSA SpA

IT · Not Found · 14 Apr 2026

La Tuilerie

QC · Agriculture and Food Production · 14 Apr 2026

ServiceMaster Clean services

US · Consumer Services · 14 Apr 2026

R L Larson Excavating

Construction · 14 Apr 2026

DeMera DeMera Cameron

Not Found · 13 Apr 2026

Turbo International

Transportation/Logistics · 10 Apr 2026

Netgain Networks

US · Technology · 10 Apr 2026

ImageMaster

Technology · 09 Apr 2026

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockAkira defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on Akira's latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried Akira will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call