CISA issued an updated joint advisory on Akira ransomware on 13 November, warning that the group has claimed $244 million in ransom payments since March 2023 and has accelerated attacks on critical infrastructure. The advisory reflects new intelligence about the group’s tactics including deployment of an Akira_v2 variant that enables faster encryption and deeper system damage.
The timing matters. Akira which CISA links to Storm-1567, Howling Scorpius, Punk Spider and Gold Sahara has moved beyond opportunistic targeting to sustained campaigns against essential services. The group hit Swedish infrastructure hard in January 2024 when it attacked Tietoevry’s datacenter, disrupting government payroll systems and forcing cinema chains and retail stores offline for weeks.
The New Variant Changes the Recovery Calculation
Akira_v2 represents a tactical shift. According to CISA’s analysis, the Rust-based variant encrypts files faster than previous versions and further inhibits system recovery. That suggests the group has solved a core ransomware problem which is giving victims enough hope of recovery to justify paying rather than rebuilding from scratch.
The group deploys multiple encryptors depending on the target environment. Windows systems get hit with the original C++ Akira variant or the newer Rust-based tools. Linux environments face purpose-built variants targeting VMware ESXi and, as of June 2025, Nutanix AHV virtual machines. CISA confirmed that Akira exploited CVE-2024-40766, a SonicWall vulnerability, to reach the Nutanix environment in what appears to be the first documented attack on that platform.
The Megazord variant which encrypted files with .powerranges extensions has largely fallen out of use since 2024, according to CISA’s assessment. But the core problem remains. Akira maintains working decryptors which distinguishes it from groups that promise keys they cannot deliver.
Sweden Learned the Hard Way About Cloud Exposure
The Tietoevry attack in January 2024 demonstrated how quickly a single compromised datacenter can cascade across an entire country’s digital infrastructure. Akira hit the Finnish company’s Swedish facility using CVE-2023-20269, a Cisco ASA VPN vulnerability that had been patched four months earlier. The attack encrypted virtualization servers that hosted applications for major Swedish businesses and government entities.
Cinema chain Filmstaden could not sell tickets online. Retail chain Rusta kept physical stores open but lost e-commerce completely. Most critically, the attack disrupted Primula, a payroll system used by Swedish universities and more than 30 government authorities including the Swedish State Service Centre that manages administrative services for nearly 170 government agencies.
The January salaries had been processed before the attack, but the incident exposed how dependent Sweden’s public sector had become on a single cloud provider’s infrastructure. It is reported that Akira’s attack specifically targeted Tietoevry’s virtualization and management servers, encrypting the platforms that hosted websites and applications for dozens of Swedish organizations simultaneously.
The VPN Problem Is Not Getting Better
CISA’s advisory confirms that Akira continues to exploit VPN appliances as its primary entry vector particularly targeting organizations that have not implemented multifactor authentication. The group has been observed exploiting CVE-2020-3259 and CVE-2023-20269 in Cisco devices and CVE-2024-40766 in SonicWall appliances.
But the SonicWall campaign that began in July 2025 showed tactical evolution. Rather than hitting random vulnerable appliances, Akira specifically targeted financial institutions’ remote access infrastructure. According to the advisory, this represents a more strategic approach to victim selection based on sector-specific attack surfaces.
The group also demonstrated new persistence techniques using tunneling utilities like Ngrok to establish encrypted command-and-control sessions that are harder to detect and disrupt. These sessions give Akira operators the access they need to exfiltrate data using tools like WinRAR, FileZilla and RClone before deploying the encryption payload.
What the $244 Million Figure Actually Means
CISA’s $244 million figure comes from ransom payments the group has confirmed receiving, not total demands issued. This is a critical distinction. Most ransomware tracking relies on leak site postings and public disclosures which typically represent failed negotiations rather than successful extortions. The CISA figure suggests law enforcement has deeper visibility into Akira’s financial operations than usual.
That level of financial success explains why Akira has maintained operational security better than many ransomware groups. The advisory notes connections to the defunct Conti operation but treats attribution cautiously, describing the links as analytical assessments rather than confirmed fact. That restraint is appropriate given how quickly attribution claims spread in security industry reporting.
Patch These CVEs Now
CISA’s advisory provides a clear priority list. Organizations running Cisco ASA or Firepower Threat Defense appliances should verify patches for CVE-2020-3259 and CVE-2023-20269 are installed. SonicWall users need CVE-2024-40766 addressed immediately. Veeam Backup and Replication environments require patches for CVE-2023-27532 and CVE-2024-40711.
But patching alone is insufficient. CISA emphasizes that multifactor authentication must be enforced on all VPN connections, not just implemented as an option. The advisory also recommends regular backup testing noting that Akira specifically targets backup systems to prevent recovery without paying ransom.
Organizations should also review their cloud service dependencies. The Tietoevry incident demonstrated that a single compromised provider can affect dozens of downstream customers simultaneously. Having backup access to critical systems through alternative providers may be worth the additional cost.
References
- CISA and Partners Release Advisory Update on Akira Ransomware
- #StopRansomware: Akira Ransomware CISA Advisory AA24-109A
- Tietoevry Ransomware Attack Causes Outages for Swedish Firms, Cities
- Tietoevry: Ransomware Attack in Sweden – Restoration Work Progressing
- Akira Ransomware Hits Cloud Service Tietoevry
- Akira Ransomware 2025: Updated CISA Advisory, TTPs, and Defense Strategies
This post is also available in:
Svenska
Related News
Iran’s Cyber Proxies Launch Multi-Vector Retaliation Against Western Networks
Iran's cyber offensive capability has shifted into high gear following joint US-Israeli military strikes in late February 2026. Multiple Iranian state-linked groups and hacktivist proxies…
March 10, 2026 SmartLoader Gang Builds Fake GitHub Ecosystem to Spread StealC via Trojanised Oura MCP
A known cybercriminal operation has spent months building an elaborate fake GitHub ecosystem to poison the AI development supply chain. The SmartLoader gang, first identified…
February 17, 2026