{ "modified": "2025-03-11T15:36:38.244Z", "name": "Akira", "description": "[Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with \"double extortion\" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with [Conti](https://attack.mitre.org/software/S0575) ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_contributors": [ "Jiraput Thamsongkrah" ], "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--46bb06cb-f2d9-4b37-8c92-a27e224ad90d", "created": "2024-02-20T23:59:25.966Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1024", "external_id": "G1024" }, { "source_name": "PUNK SPIDER", "description": "(Citation: CrowdStrike PUNK SPIDER)" }, { "source_name": "Howling Scorpius", "description": "(Citation: Palo Alto Howling Scorpius DEC 2024)" }, { "source_name": "GOLD SAHARA", "description": "(Citation: Secureworks GOLD SAHARA)" }, { "source_name": "CISA Akira Ransomware APR 2024", "description": "CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.", "url": "https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf" }, { "source_name": "CrowdStrike PUNK SPIDER", "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "url": "https://www.crowdstrike.com/adversaries/punk-spider/" }, { "source_name": "Cisco Akira Ransomware OCT 2024", "description": "Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.", "url": "https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/" }, { "source_name": "Secureworks GOLD SAHARA", "description": "Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.", "url": "https://www.secureworks.com/research/threat-profiles/gold-sahara" }, { "source_name": "Arctic Wolf Akira 2023", "description": "Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.", "url": "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/" }, { "source_name": "BushidoToken Akira 2023", "description": "Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.", "url": "https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html" }, { "source_name": "Palo Alto Howling Scorpius DEC 2024", "description": "Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.", "url": "https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack" ] }