Akira Ransomware Hits $244M: FBI Warns of New VPN Exploitation Tactics

by ddos · November 18, 2025

Akira’s sustained activity continues to alarm investigators in the United States and Europe, who released an updated set of recommendations for organizations confronting this ransomware operation. The document outlines newly observed tactics used in attacks since 2023, as well as the vulnerabilities the actors exploit to penetrate corporate networks. Issued as a follow-up to the April 2024 advisory, it is the most comprehensive description of the group’s methods in the past year.

The authors note that by the end of September, the revenue Akira amassed from data-encryption operations exceeded $244 million. The advisory underscores that the group’s motives extend beyond profit: their attacks have halted infrastructure in hospitals, universities, technology firms, and manufacturing sites. Analysts from the FBI emphasize that each encrypted system represents real-world consequences for specific teams and the surrounding communities forced to endure the fallout.

The warning was prepared jointly by the FBI, the U.S. Department of Defense, the Department of Health and Human Services, Europol, and law-enforcement agencies in France, Germany, and the Netherlands. For the first time, the updated document explicitly lists the industries most frequently targeted: manufacturing, education, IT service providers, and healthcare organizations. Researchers stress that the group’s victimology reflects a strategic focus on mid-sized entities that rely heavily on remote access and often operate with partially secured VPN infrastructures.

The report specifies that Akira operators gain access to VPN products by leveraging stolen credentials or exploiting vulnerabilities — including CVE-2024-40766. In some cases, attackers begin with compromised VPN credentials purchased from intermediaries who had obtained initial access. At other times, they resort to password-spraying attacks against VPN concentrators or brute-force weak combinations using the SharpDomainSpray tool to obtain valid domain accounts. The advisory highlights that the group frequently blends these methods, exploiting configuration mistakes and insufficiently robust authentication policies.

The recommendations further note that Akira has repeatedly used remote-support tools such as AnyDesk and LogMeIn to maintain persistence and mimic administrator activity. Incident responders have documented deliberate removal of EDR solutions, allowing the attackers to operate with minimal traceability. The FBI reports that in some intrusions, Akira exfiltrated data in less than two hours, indicating meticulous preparation, preconfigured automation scripts, and a clear understanding of the victim network architecture.

A dedicated section provides guidance for schools facing Akira intrusions. The authors advise educational institutions to enforce strict VPN access controls, rotate passwords regularly, and audit remote-administration systems, which attackers often exploit as lateral-movement channels. The document underscores that schools remain attractive targets due to their heterogeneous environments and large collections of distributed systems.

The advisory also examines a potential link between Akira and the dismantled Conti syndicate. Analysts point to overlaps in codebases, cryptocurrency wallet transactions associated with former Conti leadership, and partial intersections among operators. Law-enforcement officials confirm that some Conti members previously operated from within Russia, though no direct ties between Akira and state entities have been identified. The document clarifies that Akira functions as a network of semi-independent affiliates who may be based in different countries and collaborate under a partnership model.

Among the most notable incidents, the advisory cites the recent breach of BK Technologies, a supplier of radio equipment for the U.S. defense sector and emergency-response services. The company informed investors that internal information and data belonging to current and former employees had been compromised following a September intrusion. Akira is also responsible for attacks on Stanford University, the Toronto Zoo, South Africa’s state-owned bank, London Capital Group, and numerous other major organizations whose systems proved vulnerable to the group’s attack chains.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal