The ransomware group Akira has been ravaging UK businesses since at least 2023. This brief goes over what Solace Cyber have seen in the past two years. Solace Cyber have seen devastating impacts to UK businesses from the same group affecting the industries of retail, finance, manufacturing and medical organisations. Solace Cyber have encountered over 30 businesses impacted by Akira during digital forensics and incident response (DFIR) engagements.

Akira is known to have very comparable links to the old Conti cybercrime organisation, including code similarities with the ransomware payload and templated attacks that follow a playbook of procedures to carry them out. Akira focuses on being a double extortion group, with the primary goal of extorting for financial gain. Akira follows in the same footsteps, using templated, playbook-driven attacks just like Conti.
They operate a double-extortion model, first stealing data, then encrypting it, demanding payment to prevent public leaks and restore systems.
Their primary method of entry is through SSL VPN exploitation (Cisco ASA, SonicWall, WatchGuard), often taking advantage of missing MFA or unpatched vulnerabilities.
These key observations are based on over 16 cases performed by the DFIR teams of Solace Cyber.
| Attack Stage | Key Findings |
|---|---|
| Initial Access | Abuse of VPNs (Cisco ASA, SonicWall, WatchGuard); exploitation of CVEs like 2023-20269 and 2024-40766. |
| Discovery | Tools like Netscan (31%), Advanced Port Scanner (25%), and PowerShell AD enumeration. |
| Privilege Escalation | Exploitation of Veeam vulnerabilities (CVE-2023-27532, CVE-2024-40711); credential dumping with Veeam-Get-Creds.ps1. |
| Lateral Movement | Heavy use of RDP; SSH for ESXi/NAS systems; sometimes deploying attacker-created VMs. |
| Command & Control | AnyDesk (43%), OpenSSH (18.75%) most common; occasional use of Ligolo-ng, Cobalt Strike. |
| Exfiltration | WinSCP (31.25%), FileZilla (18.75%), Rclone (18.75%) used to steal data, sometimes in under 3 hours. |
| Impact | Backup destruction, ESXi/NAS encryption, and data leaks via Tor-based data leak site. |
All initial access methods identified by Solace Cyber have resulted in the threat actor leveraging enterprise gateways for access to the wider estates in all cases observed.
Between 2023 to late 2024, the main method of entry seen by Solace Cyber was the abuse of Cisco ASA firewalls to gain initial access. In the majority of the cases, this was either due to the lack of MFA on accounts and exploitable firewalls vulnerable to a remote “brute force” vulnerability (CVE-2023-20269) and CVE-2020-3259, a memory disclosure vulnerability which can be used to retrieve credentials without authentication.
From late 2024 to the present day, the most common initial access method by Akira is the abuse of SonicWall SSLVPNs, primarily the same methods are used with this line of firewall product. Password-based attacks against local VPN accounts and accounts linked to Active Directory. The use of CVE-2024-40766 is a high contributing factor.
During 2025, the first cases were observed originating from the SSLVPNs of Watchguard appliances, indicating that Watchguard appliances are now on Akira’s scopes going forward.

The most common discovery utilities seen in use by Akira:

Once inside the environment through the VPN, the threat actor may already have Active Directory (AD) credentials, depending on whether access was gained using a local firewall account or an AD account. Where valid credentials are insufficient to progress, Akira have been observed to exploit Veeam vulnerabilities such as CVE-2023-27532 and CVE-2024-40711. Indicators of this activity often include the use of xp_cmdshell following the creation of local accounts on Veeam servers, with those accounts then added to the Local Administrators and RDP Users groups. A common next step is execution of the script “Veeam-Get-Creds.ps1” (or a variant), which extracts all stored credentials from the Veeam SQL database in plain text. This activity may also be performed by the threat actor using VeeamHax.exe. The credentials within Veeam frequently include ESXi, Hyper-V, backup repository credentials for NAS devices, as well as domain administrator credentials, providing a powerful escalation path. In some cases, this credential dumping from Veeam occurs later in the incident, after initial data exfiltration, once attackers have established sufficient access.
Where Veeam exploitation is not possible, such as when instances are patched or absent, attackers have also turned to password-based attacks. This often takes the form of password spraying, which can be identified early in incidents by a spike in failed logins and multiple account lockouts.
Akira ransomware operators are sometimes observed using advanced credential theft techniques, but these activities are relatively infrequent compared to their other behaviours. In a minority of cases, they have stolen the NTDS.dit file (Active Directory’s database of user accounts and password hashes) along with the System hive, which allows them to decrypt and crack those hashes offline. Tools like Mimikatz have been seen in more than 12.5% of cases, enabling attackers to dump credentials from memory or conduct a DCSync attack to replicate password data directly from a domain controller. A technique to impersonate a domain controller and replicate password data from Active Directory.
They have also been observed performing Kerberoasting attacks, often when connected over an SSL VPN, to target service accounts by extracting and attempting to crack their Kerberos tickets. While powerful, these tactics are not consistently used in every incident; rather, they show up only in select cases. When they do occur, they provide attackers with a path to escalate privileges, spread across the network, and facilitate widespread ransomware deployment.

Akira are well known at Solace Cyber to use methods of command and control, with the most common method being the use of the RMM tool AnyDesk, which was seen in more than 43% of Akira incident response cases. The second method is the use of OpenSSH for remote access, which was seen in at least 18.75% of cases.
In the minority <6% of cases the following tools were utilised:
1. The use of Chrome Remote Desktop was observed, where the following PowerShell Command was run to configure remote access.

2. Akira has been seen to use reverse shells on ESXi hosts for remote access.

3. In at least two cases, the protocol tunnelling utility called “Ligolo-ng” was utilised by executing a base-64 encoded command. The tool allows the threat actor group to access the network just like if they were connected over the VPN, allowing their machines access to the organisation's network directly, as well as potential protocol tunnelling of FTP traffic to the threat actor's tunnelled server.
4. In a small number of cases, the threat actor was observed to use CobaltStrike beacons to remain in the environment.
Where C2 methods were absent, the window of the incident is usually short; thus, in these cases, it is probable that the threat actor didn’t deem it necessary to deploy methods of remote access into the environment and remained connected via the SSL VPN. Alternatively, the forensics was damaged by encryption upon all retrieval.

The most common method abused for lateral movement was Remote Desktop Protocol (RDP), where Solace Cyber observed its use in all cases from the SSL VPN range to Windows hosts. As the saying goes, it is the ransomware deployment protocol after all.
In the majority of cases where ESXi hosts are present or NAS devices, the threat actor is seen to use SSH for lateral movement.
Pass the hash techniques were observed in the majority of cases prior to the encryption stage, usually from the SSL VPN range, from systems unknown to the victim. Common examples include the hostname “kali”. A default hostname for the popular offensive security Linux distribution (https://www.kali.org/). In the minority of cases, the threat actor was observed to deploy their own virtual machine within the victim organisation in order to bypass security measures such as EDR. Where the machine was created to perform the encryption over SMB.
In the minority <6 % of cases the following tools were observed:
Where the threat actor is targeting the Windows operating system for later encryption, the majority have manual removal and disablement of security tooling where the threat actor has obtained sufficient administrator privileges and where no password protection measures preventing the removal of Antivirus products or EDR products were seen. The simple use of the control panel and pressing uninstall is enough in sadly a large portion. Additionally, in 48.57% of cases, Windows Defender was inhibited manually or via automated methods. In multiple cases, the PowerShell commands to disable defender protection measures were observed:

In the remaining cases where no hindrance to the threat actor was observed, defence evasion techniques were not observed and were likely considered unnecessary, as the ransomware was executed directly and exclusively on the hypervisors’ datastores containing the virtual machine disks. This limited the need for traditional evasion, with encryption occurring directly on the ESXi hosts or Hyper-V hosts.
Before exfiltration, the threat actors were observed to use compression utilities prior to exfiltration activities using the following utilities:
Usually, these compression utilities would be run on file servers to selectively archive document types and ages.
Akira’s use of these tools usually creates identifiable artefacts which indicate which data has been compressed. For example, finance.part1.rar, finance.part2.rar, sales.part.1.rar and sales.part2.rar usually would indicate top-level folders on the file server. Recovered RAR files in cases have previously provided insight into their contents, as a single RAR part file can facilitate the identification of which folders were included in the collection within a multi-RAR set.


Usually, the length of time that Akira is within the environment is dependent on how fast businesses' upload speed is. The shortest case Solace Cyber has observed was less than three hours, and the predominant factor for speed appeared to be the gigabit upload speed of the victim.
In more than 81.25% of cases, Akira were identified to exfiltrate data using the following utilities:
In all Akira cases, by incident responders at Solace Cyber, encryption was observed in 100% of all incidents.
During incidents, it has been observed that Akira targets backup devices and systems relating to backups, including QNAP devices or other generic NAS devices that were linked to backup servers. It is common to see the group perform a format/wipe the disks and perform a factory reset of these devices. Usually, the source of the credentials is either due to the Veeam password credential dumping or due to the devices being AD joined, where the account is compromised and leveraged to perform the format. In cases where NAS devices are used as a file store, the network share can be encrypted or directly encrypted with the Akira payload via SSH.
Due to Akira predominantly targeting hypervisors, it isn’t always necessary for the group to disable security products on hosts. Once on ESXi hosts with SSH enabled, there aren’t many measures that will stop Akira from running the Linux variant.
The method of encryption can vary, where scenarios can include:
The following names for the ransomware payload have been identified, usually with short names that are generic across multiple incidents. w.exe, akira.exe, lck.exe, lock.exe, locker.exe, pr.exe, n.exe, s.exe, aki.exe, win.exe, esx, winlocker.exe and hello.exe.
The ransomware payload has been seen to run directly on the hosts of one or more categories within incidents:
Common execution commands for the ransomware payload on ESXi include the threat actor using “chmod +x” to make the file executable before running the encryptor. Then running the encryptor with multiple command line switches.

The redacted entry is the payload name.
| Switch | Usage |
|---|---|
| -n | Percentage of encryption |
| -p | Path to encrypt. (VMFS volumes.) |
| -fork | Creates a separate child process for encryption |
Throughout cases, the percentage of encryption instructed can vary.
The method of execution can vary, where the threat actor predominantly runs the encryptor using PowerShell or Command Prompt as an administrator account. The execution of the Akira payload on Windows devices provides a forensic artefact where the encryptor leaves multiple log files usually within the same directory from which the encryptor was run, in the naming convention of:
“Log-DD-MM-YYYY-HH-MM-SS.txt”.
The Akira ransomware payload for Windows uses many of the same switches, where “-p” denotes the path for the encryptor to target. Here you can see the ransomware payload running from “C:\PerfLogs” targeting virtual machine disks of a Hyper-V host and the whole D and E drives. In this scenario, the threat actor left the command prompt window open, leaving the evidence on the active RDP session window.
Upon encryption, the ransomware payload appends files with “.akira” and within each folder where the encryptor has run, it dumps a TXT file called “akira_readme.txt”. This applies in both ESXi and Windows environments.

In the same intrusion on another Command Prompt window, the threat actor instructed the ransomware payload to encrypt endpoint devices, laptops, and desktops remotely with the command line switch “-remote” followed by the network path of the system to target.

In more than 6.25 % of cases, Akira have been observed to run the ransomware payload via GPOs (Group Policy Objects) to attempt to achieve a wider impact if and when new systems come online, for example, Monday morning when employees first get to the office.
Upon encryption, the ransomware payload appends the file with “.akira” and within each folder where the encryptor has run, it dumps a TXT file called “akira_readme.txt”. This applies in both ESXi and Windows environments.

After the encryption has set its course, occasionally the victim organisation is contacted. In most cases, this is a mass email to all employees or to the senior leadership teams. Interestingly, every observed case by Solace Cyber where Akira sent emails used Gmail accounts (e.g., [email protected]).
Solace Cyber has observed this email-contact scenario in about 18.75% of intrusions. These emails usually repeat the same information found in the ransom note left on infected systems.
Occasionally, the attackers will follow up with a link to a “proof of life” package, a set of stolen sample data intended to prove they really have the victim’s files.


Akira, in most cases, where the exfiltrated data is acquired, will list the organisation first within the news section of the DLS. After a varied amount of time, after the company is listed within the news section, usually 2 weeks to up to 8 weeks, but can be longer, the victim will then be listed within the leak section of the site. Some do not appear at all as a company name and are bundled with multiple organisations in a single leak post.
Instead of hosting the files directly, Akira shares magnet or torrent links.
This makes it very difficult to take down the leaked data, since torrents are hosted by many “seeders” on public trackers, making them widely and persistently available.

| Hostname of TA Machine | Source of Hostname |
|---|---|
| DESKTOP-A6MVCI0 | SSL VPN |
| DESKTOP-EEKR377 | SSL VPN |
| DESKTOP-NTOTKE1 | SSL VPN |
| DESKTOP-SBOHBN9 | SSL VPN |
| DESKTOP-UOQCGGJ | SSL VPN |
| kali | SSL VPN |
| WIN-0NBN6G381L0 | SSL VPN |
| WIN-2016-TEST | SSL VPN |
| WIN-EES13C2CG49 | SSL VPN |
| WIN-F48JBFDRB2V | SSL VPN |
| ASN | Org |
|---|---|
| AS199959 | CROWNCLOUD |
| AS395092 | Shock Hosting LLC |
| AS62240 | Clouvider Limited |
| AS64236 | UnReal Servers, LLC |
| AS55286 | Server Mania Inc |
| AS19318 | Interserver Inc |
| AS63018 | Dedicated.com |
| AS29802 | HIVELOCITY, Inc |
| AS36352 | HostPapa |
| AS53363 | STARK INDUSTRIES SOLUTIONS LTD |
| AS30860 | Virtual Systems LLC |
| AS44477 | PQ HOSTING PLUS S.R.L. |
| File | SHA-256 |
|---|---|
| 7z2409-x64.exe | |
| a.exe | |
| AdComputers.csv | |
| AdComputers.txt | |
| AdGroups.txt | |
| AdOUs.csv | |
| AdSubnets.csv | |
| AdTrusts.txt | |
| AdUsers.txt | |
| advanced_ip_scanner.exe | |
| Advanced_IP_Scanner_2.5.4594.1.exe | 26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b |
| advanced_port_scanner.exe | 8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a |
| Advanced_Port_Scanner_2.5.3869.exe | d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb |
| advanced_port_scanner_console.exe | a1a6005cc3eb66063ae33f769fc2d335487b2ed7f92c161e49ad013ffed11ec8 |
| aki.exe | |
| akira | |
| Akira.exe | |
| Anydesk.exe | 1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069 |
| Anydesk.exe | 4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7 |
| AnyDesk_5.1.1.exe | |
| BvSshClient-Inst.exe | |
| esx | |
| ExportData.db | |
| FileZilla_3.68.1_win64_sponsored2-setup.exe | |
| GT_NET.exe | |
| hello | |
| lck | |
| lock.exe | |
| lock_via.zip | |
| locker.exe | |
| LOG-xx-xx-xxx-xx-xx-xx.txt | |
| mimikatz.exe | |
| MobaXterm_Personal_23.1.exe | 9667c3a224a4ccbf6975b292a2fdeb3025babae035f58e468b9c9c800188969b |
| n.exe | |
| netscan.csv | |
| netscan.exe | |
| netscan.lic | |
| netscan_n.exe | fc5f82f45745385d8c0dc82caf2ad5695b1addfbf556d1e72d792835876574ce |
| OpenSSH-Win64-v8.9.1.0.msi | |
| Pingcastle.exe | |
| pr.exe | |
| ProcessHacker.exe | bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 |
| PSEXESVC.exe | |
| rclone.conf | |
| rclone.exe | e1fefa948907a18fb0bc7717da9d4272e93bf9707413e9689ab8f053af4c7924 |
| rclone-v1.69.0-windows-amd64.zip | 73f55188dbd15056b9728cb646f4e9774534b148dec3eed9ccbbaa381b95ce78 |
| RVTools.exe | |
| s.exe | |
| shares.txt | |
| SharpHound.exe | |
| SharpShares.exe | |
| sshd.exe | 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 |
| svchost.exe | 54e3b5a2521a84741dc15810e6fed9d739eb8083cb1fe097cb98b345af24e939 |
| svchost.exe | fdd00e1bf19fe207b1ca7dbee50816ff85e53eaad9deb5e5b8fef92210fb6bc0 |
| VeeamHax.exe | |
| w.exe | |
| w.rar | |
| win.exe | |
| WinRAR.exe | |
| WinRAR.zip | bc3088927f42f08fd5b8a22f43ba3683c310d59a0b0fe7022468d21275bc050a |
| winrar-x64.exe | |
| winrar-x64-701.exe | 31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6 |
| WinSCP.exe | |
| xxxxxxxxxxxxxx_BloodHound.zip |


Solace Cyber helps companies across the UK recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 14028838

Solace Cyber
Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom