Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1129: Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.[1][2][3]

EnterpriseS1129MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Akira is a Windows ransomware family that MITRE describes as C++-based, using hybrid encryption, threading for faster encryption, and runtime arguments for tailored attacks. For leaders, the practical issue is not just malware execution; it is whether the organization can detect pre-encryption discovery and execution behavior, protect recovery paths, and make fast incident decisions before business-critical Windows data and shared resources are encrypted.

Executive priority

Treat this as a resilience and recovery-readiness priority. The ATT&CK relationships connect Akira to execution through WMI, PowerShell, Windows command shell, and native APIs; discovery of processes, systems, files, directories, and network shares; and impact behaviors including data encryption and inhibition of system recovery. Executives should ask whether critical Windows systems, file shares, backup controls, and recovery evidence are monitored well enough to support ransomware response decisions, audit expectations, and continuity planning.

Technical view

SOC and IR teams should validate coverage around the related ATT&CK behaviors rather than relying on a single malware indicator. On Windows, confirm visibility into WMI execution, PowerShell and cmd activity, unusual process creation, system/process/file/share discovery, high-volume file modification consistent with encryption, and attempts to weaken recovery mechanisms such as shadow copy or backup-related controls. Because MITRE provides no official detection text for S1129, detections should be built from the linked techniques and tuned against known administrative activity.

Likely telemetry

  • Windows process creation and command-line telemetry
  • PowerShell execution logs and script/block-level visibility where available
  • WMI activity and remote/local WMI execution records
  • Windows command shell execution records
  • EDR or host telemetry for native API-driven process, file, and system activity

Detection direction

  • Map detections to the related techniques: T1047, T1059.001, T1059.003, T1057, T1082, T1083, T1106, T1135, T1486, and T1490.
  • Prioritize chained behavior: discovery of processes, systems, files, and shares followed by suspicious command execution, mass file modification, or recovery-inhibition activity.
  • Tune carefully for legitimate administration, software deployment, backup operations, indexing, and file migration activity that can resemble discovery or bulk file access.
  • Validate that file server and endpoint telemetry are correlated; ransomware impact may be visible first as abnormal share access or rapid file changes rather than a distinctive malware name.
  • Because no official detection guidance is supplied for the malware object, avoid asserting coverage from signatures alone and test detections against the underlying behaviors.

Mitigation priorities

  • Harden and monitor administrative execution paths used in the relationships, especially WMI, PowerShell, and Windows command shell.
  • Limit unnecessary administrative privileges and remote execution capability on Windows systems.
  • Protect recovery options with separated, access-controlled, and tested backups; monitor for attempts to disable or delete recovery mechanisms.
  • Reduce exposure of sensitive or broadly writable network shares and review permissions on critical shared storage.
  • Run ransomware response exercises that verify escalation paths, backup restoration, evidence preservation, and business decision points before encryption events occur.
Analyst notes and limits

MITRE identifies Akira as ransomware associated most prominently, but not exclusively, with the Akira ransomware-as-a-service entity, and notes use across North America, Europe, and Australia with focus on critical infrastructure sectors including manufacturing, education, and IT services. The supplied object also notes variants including Megazord and Akira_v2, but this specific object’s platform field is Windows; any ESXi-specific assessment should be handled through the relevant variant object and local evidence.

The official detection field is not provided, and the malware object has no tactics specified directly. This take is therefore derived from the official description, external references, and supplied ATT&CK relationships. Local telemetry, asset criticality, backup architecture, and administrative baselines are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1083 File and Directory Discovery

Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.CitationKersten Akira 2023CitationCisco Akira Ransomware OCT 2024
Enterprise T1082 System Information Discovery

Akira uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.CitationKersten Akira 2023
Enterprise T1059.001 PowerShell Sub-technique

Akira will execute PowerShell commands to delete system volume shadow copies.CitationKersten Akira 2023CitationCISA Akira Ransomware APR 2024
Enterprise T1047 Windows Management Instrumentation

Akira will leverage COM objects accessed through WMI during execution to evade detection.CitationKersten Akira 2023
Enterprise T1059.003 Windows Command Shell Sub-technique

Akira executes from the Windows command line and can take various arguments for execution.CitationKersten Akira 2023
Enterprise T1135 Network Share Discovery

Akira can identify remote file shares for encryption.CitationKersten Akira 2023
Enterprise T1106 Native API

Akira executes native Windows functions such as GetFileAttributesW and `GetSystemInfo`.CitationKersten Akira 2023
Enterprise T1490 Inhibit System Recovery

Akira will delete system volume shadow copies via PowerShell commands.CitationKersten Akira 2023CitationCISA Akira Ransomware APR 2024
Enterprise T1057 Process Discovery

Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.CitationKersten Akira 2023
Enterprise T1486 Data Encrypted for Impact

Akira can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.CitationKersten Akira 2023CitationCISA Akira Ransomware APR 2024CitationCisco Akira Ransomware OCT 2024
Associated objects

Groups, software, and campaigns

Group Enterprise

G1024: Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1490: Inhibit System Recovery Enterprise uses · Group G1024: Akira Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
3fe511ae2e0e17c1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 3fe511ae2e0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kersten Akira 2023

    Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.

    Open source URL
  2. [2]
    CISA Akira Ransomware APR 2024

    CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.

    Open source URL
  3. [3]
    Cisco Akira Ransomware OCT 2024

    Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.

    Open source URL
  4. [4]
    mitre-attack S1129
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use