Overview

Akira ransomware is a strain of ransomware that emerged in March 2023 and has since targeted various industry sectors, including education, finance, real estate, manufacturing, and consulting.

The ransomware deletes shadow volume copies on victim devices via a PowerShell command prior to encrypting victim files and adding the ‘.akira’ file extension. Akira uses the Windows Restart Manager application programming interface (API) to terminate processes or shut down Windows services that keep files open so as not to interfere with encryption. Prior to encryption, Akira steals corporate data from its victims to use as leverage in negotiations for unlocking encrypted files later. The malware gains initial access to systems through various means, including search engine optimisation (SEO) poisoning or malvertising.

Akira’s ransom notes contain ‘akira_readme.txt’ files that contain links to Akira’s ransomware extortion blog and instructions on how victims can negotiate the release of their files.

The ransomware exploited at least 16 victims within the first two months of its existence. Akira ransomware operators use a unique negotiation system and host a TOR-based (.onion) website where victims are listed along with any stolen data, should a victim fail to comply with the ransom demands.