14.11.2025
2 min
460
According to a joint advisory by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), Europol and the Netherlands’ National Cyber Security Centre (NCSC-NL), the Akira ransomware gang, active since March 2023, has carried out more than 250 attacks and generated around $42 million in ransom payments.
The Akira gang emerged in March 2023 and quickly became one of the most prolific ransomware operations. By early 2024, it had claimed responsibility for more than 250 attacks and amassed roughly $42 million in extortion payments.
Victims span businesses and critical infrastructure across North America, Europe and Australia. Akira uses a double-extortion model: exfiltrating data before encryption and threatening public release unless payment is made. The group has evolved its tactics, shifting from Windows-only attacks to targeting VMware ESXi Virtual Machines on Linux infrastructure — a move that expanded its reach into the enterprise environment. Attack vectors include exploitation of known VPN vulnerabilities, abuse of RDP and lack of multi-factor authentication (MFA). Security researchers assess that Akira is likely backed by seasoned cybercriminals, given its pace and scale.
The joint advisory from FBI, CISA, Europol and NCSC-NL highlights that Akira surfaced in March 2023 and within a year had executed hundreds of attacks. Initially focused on Windows systems, from August 2023 the group began deploying a Rust-based “Megazord” variant and Linux encryptor for VMware ESXi environments. By January 2024, estimated criminal proceeds totaled about $42 million.
The rise of Akira underlines the rapidly shifting landscape of ransomware: agile, global threat actors targeting enterprise-scale infrastructure, using sophisticated tactics and earning heavy pay-outs. For organizations, this means enhanced cyber-resilience must be a priority — enforce MFA, segment networks, maintain backups and apply patches promptly. Failure to act can lead to severe operational and financial consequences.
