3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Akira

Akira

ID: 5ba8e726fdce0f127e6140c04cdc26a137888
Crimeware Ransomware
Threat types: Ransomware, RaaS, Data Leak, Extortion ecosystem
Unknown
Updated: 2026-03-14
Created: 2025-10-20
Progress: 74% Completeness: 76% Freshness: 70%
Operation zone:
Aliases Limited alias preview
GOLD SAHARA Howling Scorpius PU*********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Akira is an active ransomware operation and associated deployer entity (since at least March 2023) using double extortion, targeting Windows and Linux/VMware ESXi environments and relying heavily on commodity post-exploitation and exfiltration tooling.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-04-18 — Akira actors observed obtaining initial access via VPN services without MFA and exploiting known Cisco vulnerabilities (CVE references in joint CSA). · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-04-18 — Akira initial access includes abuse of valid credentials (reported). · ref
T1133 External Remote Services TA0001 TA0003
  • 2024-04-18 — Use of external remote services such as RDP for access and operations is described in the CSA. · ref
T1136.002 Domain Account TA0003
  • 2024-04-18 — CSA reports creation of new domain accounts for persistence; example admin account name referenced in reporting. · ref
T1003.001 LSASS Memory TA0006
  • 2024-04-18 — CSA references credential extraction from LSASS process memory (Kerberoasting and credential scraping tools). · ref
T1016 System Network Configuration Discovery TA0007
  • 2024-04-18 — Network discovery using tools like Advanced IP Scanner / SoftPerfect is described. · ref
T1018 Remote System Discovery TA0007
  • 2024-04-18 — Remote system discovery via Windows commands and enumeration is described. · ref
T1219 Remote Access Tools TA0011
  • 2024-04-18 — Remote access software such as AnyDesk is used to obtain/maintain access (CSA). · ref
T1090 Proxy TA0011
  • 2024-04-18 — Ngrok used as a proxy/tunnel to create secure tunnels aiding operations and exfiltration. · ref
T1560.001 Archive via Utility TA0009
  • 2024-04-18 — Archive via utility (WinRAR) used to compress data for exfiltration. · ref
T1048 Exfiltration Over Alternative Protocol TA0010
  • 2024-04-18 — Exfiltration over alternative protocols using WinSCP/FileZilla and similar tools is described. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • 2024-04-18 — Rclone used to sync/exfiltrate data to cloud storage services (reported). · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-04-18 — Akira encrypts data for impact; advisory describes encryption behavior and extensions (.akira / .powerranges). · ref
T1490 Inhibit System Recovery TA0040
  • 2024-04-18 — PowerShell/WMI used to delete volume shadow copies to inhibit recovery (reported). · ref
T1657 Financial Theft TA0040
  • 2024-04-18 — CSA describes double-extortion model and financial coercion after exfiltration. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T03:24:49+00:00

Akira — Ransomware operation (Windows + Linux/ESXi) and extortion ecosystem

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Akira

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Akira


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T03:27:30+00:00

IOC Appendix — Akira

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T03:31:19+00:00

OSINT Library — Akira


2025-11-13 — CISA/FBI/DC3/HHS — “#StopRansomware: Akira Ransomware (Updated Advisory AA24-109A)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion Restricted Not integrated
akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Akira website screen Free Preview
Akira website screen