On November 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), alongside multiple federal and international partners, published an updated advisory focusing on Akira ransomware. This advisory informs network defenders about the latest tactics, techniques, and procedures employed by Akira threat actors, including detailed indicators of compromise.
CISA's collaborative effort included the Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, the Department of Health and Human Services, and other international allies. Their goal is clear: enhance the security posture of organizations across various sectors against Akira ransomware attacks.
"As the threat landscape evolves, it's crucial for organizations to remain vigilant and implement comprehensive cybersecurity measures," stated a CISA representative. This advisory reflects recent findings that detail the ransomware's advancement and its persistent threat to critical infrastructure.
"As the threat landscape evolves, it's crucial for organizations to remain vigilant and implement comprehensive cybersecurity measures,"
The advisory notes the alarming trend of Akira ransomware targeting a wider range of organizations, from small and medium-sized enterprises to larger institutions. Key sectors being attacked include Manufacturing, Education, Information Technology, Healthcare, Financial Services, and Food and Agriculture.
Impact and Legacy
Impact and Legacy
Impact and Legacy
Notable updates in the advisory include the introduction of a new variant of ransomware known as Akira_v2. This variant reportedly allows for significantly faster encryption speeds, complicating recovery efforts following an attack. "They are using this upgraded version to enhance their operational efficiency and impact," said an analyst familiar with the situation.
"They are using this upgraded version to enhance their operational efficiency and impact,"
Impact and Legacy
Further complicating defense efforts, actors utilize tools like Ngrok for encrypted command and control communications, while also implementing SystemBC and STONETOP malware to deploy Akira ransomware payloads. "Their command and control techniques are increasingly sophisticated, making them harder to track and mitigate," cautioned a cybersecurity expert.
"Their command and control techniques are increasingly sophisticated, making them harder to track and mitigate,"
The ability of these threat actors to move laterally within networks remains a significant concern. They often exploit remote access protocols such as RDP and SSH, and utilize stolen Kerberos authentication tickets to maintain a foothold. “Their lateral movement tactics are especially concerning, as they can quickly escalate privileges and expose critical assets,” said a network security specialist.
With regard to privilege escalation, Akira threat actors reportedly deploy malware known as POORTRY. This malware can modify vulnerable drivers, create unauthorized administrator accounts, and steal credentials to further infiltrate networks. “This tactic underscores the importance of monitoring and securing endpoint devices to prevent breaches,” a CISA official remarked.
Moreover, the advisory emphasizes methods used by these actors to evade detection. They employ remote management tools such as Anydesk and LogMeIn to impersonate legitimate administrators, while also manipulating firewall settings, shutting down antivirus processes, and uninstalling endpoint detection and response (EDR) systems.
"Organizations need to be aware that these malicious actors take steps to blend in with normal administrative activity to evade security measures," noted a cybersecurity analyst. To counter these threats, CISA and its partners strongly encourage organizations to patch vulnerabilities, particularly those affecting VPNs and backup servers, while ensuring that multifactor authentication is enforced for all remote access services.
"Organizations need to be aware that these malicious actors take steps to blend in with normal administrative activity to evade security measures,"
“Monitoring for unusual network activity and unauthorized domain account creation is essential in these evolving threat environments,” a cybersecurity consultant echoed. The advisory also recommends deploying endpoint detection and response solutions to enhance overall security.
As the threat from Akira ransomware continues to evolve, organizations must remain proactive in defending against these sophisticated attacks. The insights provided in CISA's updated advisory serve as a critical resource for enhancing cybersecurity measures across various sectors. For further guidance, organizations are directed to consult CISA’s updated #StopRansomware Guide, which contains valuable resources and strategies for mitigating ransomware attacks.
