Akira ransomware

Akira ransomware uses compromised VPN credentials or Active Directory accounts to infiltrate networks. Once inside, it disables endpoint security tools and deletes backups to hinder recovery. The ransomware targets specific processes and services—especially related to security and IT tools—to maximize encryption impact. Akira uses AES and RSA encryption, leaving behind ransom notes and encrypted file extensions marked as ".akira". Operators employ double extortion, demanding payments in Bitcoin and threatening to leak stolen data. Victims span multiple sectors, including healthcare and education.