Threat Actor Profile
High APT
Description

Akirais a ransomware variant and ransomware deployment entity active since at least March 2023.[1]Akirauses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2]Akiraoperations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis ofAkiraransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps withContiransomware.[3][4][5]

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 42 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (16)
T1213 - Data from Information Repositories
Collection
T1560 - Archive Collected Data
Collection
T1219 - Remote Access Tools
Command and Control
T1558 - Steal or Forge Kerberos Tickets
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1482 - Domain Trust Discovery
Discovery
T1059 - Command and Scripting Interpreter
Execution
T1567 - Exfiltration Over Web Service
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1531 - Account Access Removal
Impact
T1657 - Financial Theft
Impact
T1021 - Remote Services
Lateral Movement
T1133 - External Remote Services
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': 'Akirais a ransomware variant and ransomware deployment entity '
                'active since at least March 2023.[1]Akirauses compromised '
                'credentials to access single-factor external access '
                'mechanisms such as VPNs for initial access, then various '
                'publicly-available tools and techniques for lateral '
                'movement.[1][2]Akiraoperations are associated with "double '
                'extortion" ransomware activity, where data is exfiltrated '
                'from victim environments prior to encryption, with threats to '
                'publish files if a ransom is not paid. Technical analysis '
                'ofAkiraransomware indicates variants capable of targeting '
                'Windows or VMWare ESXi hypervisors and multiple overlaps '
                'withContiransomware.[3][4][5]',
 'external_references': [{'external_id': 'G1024',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1024/'}],
 'id': 'threat-actor--G1024',
 'metadata': {'crawled_at': '2026-04-29T14:32:21.976355+00:00',
              'mitre_group_id': 'G1024',
              'page_title': 'Akira, GOLD SAHARA, PUNK SPIDER, Howling '
                            'Scorpius, Group G1024 | MITRE ATT&CK®'},
 'name': 'Akira',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (16)
Data from Information Reposit…
Collection
Archive Collected Data
Collection
Remote Access Tools
Command and Control
Steal or Forge Kerberos Ticke…
Credential Access
Obfuscated Files or Informati…
Defense Evasion
View All 16 TTPs
Back to Threat Actors
Dashboard Home