Akira

The 13 Nov 2025 update to AA24-109A — co-signed by FBI, CISA, DC3, HHS, Europol EC3, French OFAC, German LKA Baden-Württemberg, and NCSC-NL — reports that Akira has claimed approximately $244.17M (USD) in ransom proceeds as of late September 2025 and, in a June 2025 incident, encrypted Nutanix AHV virtual-machine disk files for the first time, abusing SonicWall CVE-2024-40766 for initial access.

FBI, CISA, the Europol European Cybercrime Centre, and the Netherlands' National Cyber Security Centre published the first joint #StopRansomware advisory on Akira (AA24-109A), detailing initial-access TTPs against Cisco VPN appliances without MFA (CVE-2020-3259, CVE-2023-20269), Megazord and Akira_v2 tradecraft, and a multi-page IOC table covering encryptor hashes and supporting tooling.

Beginning in August 2023, Akira intrusions started deploying a secondary encryptor written in Rust and tracked as Megazord, which appends a .powerranges extension. Akira affiliates have continued to use the original C++ Akira encryptor, Megazord, and Akira_v2 interchangeably across campaigns.

Within a month of emergence, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines, allowing the operation to encrypt entire virtualisation estates from a single foothold. The pivot to ESXi is documented in the joint FBI/CISA #StopRansomware advisory AA24-109A.

Akira ransomware activity first observed in March 2023, initially targeting Windows systems with a C++ encryptor that appends a .akira extension. Akira operates as a double-extortion crew and is tracked by industry as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, with code overlap suggesting links to the defunct Conti operation.