Akira ransomware

Under attack by ransomware or suffering a cyber breach?

Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the Akira ransomware group or another threat actor - contact us immediately.

Under attack? Call us
Why choose us?

About Akira ransomware group

The Akira ransomware group, a Russian-speaking threat actor, first emerged in March 2023 and has quickly become one of the most active and dangerous ransomware variants.

You’ll be able to identify an Akira ransomware infiltration by the branded Akira ransom note that appears on your systems, signalling that they have become inaccessible and your highly valuable data encrypted. Locked files will have the distinct Akira extension added to file names. As part of the attack, it may also automatically disable admin accounts, restricting your ability to respond.

Specialist threat actors will then demand payment, usually in cryptocurrency for discreet transactions. Failure to comply may result in threats to either delete or leak your sensitive data or publish exfiltrated data stolen during the attack.

What we can help with:

  • Encrypted files & ransomware data recovery
  • Incident response and containment
  • Secure data restoration and system recovery
  • Use of ransomware decryption tools and data recovery software
  • Development of incident response plans and disaster recovery solutions
  • Post-incident reviews and security hardening

Request a call back

If your organisation has been infected with ransomware contact us immediately.

How Akira operators work

The Russian-speaking group known as Akira threatens businesses indiscriminately. Implementing a scattergun approach, they target organisations across sectors including education, finance, manufacturing, and even critical infrastructure. However, they show a particular preference for small to medium-sized businesses (SMBs) in the US, Europe, and Canada.

The group is easily identifiable by the retro aesthetic used in its ransom notes, reportedly inspired by the 1988 anime film Akira, from which the ransomware variant takes its name. Victims will typically see encrypted files with the distinctive Akira extension, and ransom notes demanding ransom payments in cryptocurrency.

Akira ransomware is known to operate under a Ransomware-as-a-Service (RaaS) model, meaning its malware is distributed to affiliate threat actors who then carry out attacks. A key feature of this group is their strategic targeting of sensitive data, often using double extortion tactics: encrypting files while simultaneously threatening to exfiltrate data for public release unless the ransom is paid.

We are equipped to deal with an attack from any ransomware group.

Don’t hesitate to contact us if you are under attack from a ransomware group not listed above. 

Under attack? Call us

Recognising an Akira attack

The Akira ransomware variant typically gains initial access through exposed remote access tools, vulnerable VPN software, or by exploiting insecure multi-factor authentication and secure shell (SSH) configurations. Attackers also rely on malicious attachments, stolen credentials, and legitimate tools like Remote Desktop Protocol to gain access.

Once inside, Akira threat actors conduct lateral movement, disable security controls and endpoint detection, and perform privilege escalation to obtain administrative privileges. They may also target user accounts to maintain access and establish persistence.

They use various tactics techniques and procedures (also referred to as techniques and procedures TTPs) aligned with the mitre att ck framework to avoid detection and expand their presence in the network. Their encryption process is capable of targeting both Windows and Linux systems, including domain controllers, Active Directory, and remote services, for widespread impact.

Why you must not interfere with your ransomware environment

If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.

A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.

This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.

Known threat actors

Ransomware groups behind the attacks

Below is a breakdown of the most active ransomware groups and the variants driving their attacks.

Post breach actions

  • Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
  • Report the incident to Action Fraud
  • Locate your business continuity plan Work out what you can do without access to your systems and data.
  • Identify your business insurance contact details
Business woman contacting a Zensec ransomware recovery service

Who are we and what experience do we have in responding to cyber incidents?

We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).

We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.

With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.

As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.

Your NCSC-approved supplier is a specialist crime scene investigator who will:

  1. Isolate and preserve your environment for forensic investigation.
  2.  Identify where the data has been duplicated and issue a legal takedown order.
  3. Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
  4.  Liaise with your business insurance company and if needed, with the Police.
  5. Advise you on notifying your customers of your situation.
  6. Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.

 

Working with us

Our response process

Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.

Step 1: Triage

We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.

Step 2: Investigation

DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.

Step 3: Contain

Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.

Step 4: Remediate & Eradicate

Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.

Step 5: Recover

Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.

Step 6: Post Incident

We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.

Forensic analysis to drive recovery

Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:

  • Informing an initial infection date

  • The extent and spread of infection

  • Data exfiltration having an impact on regulatory positions

  • Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated

It is critical that the analysis of digital evidence is carried out to an agreed plan.

Maximising early root cause discovery and legal leverage

The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.

Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.

Key take aways

  • You will not be able to access your systems or data.
  • It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
  • Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
  • Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
  • Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
  • Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
  • If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
  • You will need to submit a data takedown request to the initial location where the data was transferred.
  • Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
  • Avoid rebuilding from the latest backup, as it is likely to be infected.

Why should I trust Zensec to do this work rather than my IT team?

A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:

Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves. 

IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.

Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.

Why choose us?
We can help

Frequently asked questions

Key information when you’re under pressure.

Yes. Akira utilises the Ransomware-as-a-Service (RaaS) model, selling their specific brand of malware to affiliates.

The Akira ransomware entered your system by:

  • Exploiting vulnerabilities

  • Exposed Remote Desktop Protocol (RDP)

  • Leveraging valid accounts

  • Scoping network weaknesses

  • Brute Force Attacks / Compromised Credentials

We recommend you adopt policies to:

  1. Educate your staff on the importance of cyber security

  2. Use strong passwords

  3. Multi-factor authentication

  4. Remove old users

  5. Perform regular backups

  6. Deploy timely updates to software and systems

After recovering from an Akira ransom attack, Zensec recommends that you update your business continuity plan to account for lessons learnt during this attack & recovery.

A ransomware attack presents the most significant threat to your business by:

  • Disabling your access to systems, which could hinder machinery operation or impede progress through your business processes.
  • Blocking access to critical data concerning suppliers, shipments, customers, orders, or steps in your business workflow.

In the event of a business interruption, identifying your position in the supply chain and sustaining operations can be challenging. If the disruption continues, maintaining business continuity becomes critical. Once systems and data are restored, addressing backlogs and establishing future operational protocols are essential.

Ransomware ranks only behind receivership in terms of its capacity to incapacitate a business.

The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.

https://www.ncsc.gov.uk/

As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.

Action Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Action Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.

https://www.actionfraud.police.uk/

After an Akira ransomware attack, your company must activate its incident response plan to isolate affected systems, preserve sensitive data, and limit lateral movement. Engage a specialist like Zensec to assess your exposure, monitor for data leaks, and strengthen your organisation’s defences against future ransomware incidents.

Law enforcement discourages paying ransom demands. If you do choose to pay, there's no guarantee you will regain access to your data or prevent it from being shared on the dark web. In a new trend, ransomware affiliates are actively monetising stolen data outside of their original RaaS agreements.

The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home

Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing.

The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets

Most ransomware breaches cost approx. £500K with smaller email data breaches in the realm of £50K. There is a dichotomy of preserving the environment for forensics or recovering it quickly for less business interruption. The cost increases the longer it takes to identify the breach and resolve it.

A Cyber Security insurance claim is complex and includes reasonable expenses to investigate and remediate an incident along with cover for legal, business interruption, criminal liability, employment liability and ransom policies. The insurance industry is liable to deliver the business recovery BUT Cyber insurance is viewed as volatile within the industry and many insurance policies are not being validated correctly.

Navigating through this requires expertise, which is where Zensec can help.

Most likely, yes. Some of the lost data might be classified as "Personal Data" for your customers which you are legally obligated to protect. As a ransom attack means this data may have been lost, you hold a legal and moral duty to inform your customers. You also need to inform the Information Commissioner's Office (ICO) at https://ico.org.uk/.

Thankfully your insurer or legal counsel will be able to guide you on what steps to take and how to proceed. Alternatively, Zensec has expertise in collaborating with insurers and lawyers and can aid in handling this relationship during this challenging period.

Dealing with a ransomware attack?
Our ransomware recovery service can help

Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.

Contact us