S1194: Akira _v2
Analyst context for executives and security teams
Akira _v2 matters because it is a ransomware variant specifically described by ATT&CK as Rust-based and designed to target VMware ESXi servers. For leaders, the practical issue is not only endpoint ransomware coverage, but whether virtualization infrastructure, backups, logs, and incident response playbooks are ready for service disruption at the hypervisor layer.
Executive priority
Prioritize validation of resilience around ESXi-dependent business services: backup recoverability, administrative access controls, logging retention, and response authority to isolate or shut down affected virtualization assets. Because ATT&CK provides no detection text for this software, executives should ask for evidence of telemetry and tested response procedures rather than assume existing ransomware controls cover this variant.
Technical view
ATT&CK relationships show Akira _v2 using File and Directory Discovery, Execution Guardrails, Data Encrypted for Impact, Service Stop, Create or Modify System Process, and Log Enumeration. SOC and IR teams should validate visibility for discovery of files/directories and logs, service interruption activity, system process or service changes, and encryption-impact indicators on ESXi or related infrastructure where applicable. Detection work should be behavior-led because the object does not provide official detection logic.
Likely telemetry
- VMware ESXi host and management logs where collected
- File and directory enumeration evidence on affected hosts or shares
- System and service log access or enumeration records
- Service stop, disablement, or restart events
- System process, service, or persistence-related configuration changes
Detection direction
- Confirm whether ESXi and virtualization management logs are centrally collected and retained long enough for ransomware investigations.
- Tune for combinations of discovery, log enumeration, service stopping, process/service modification, and rapid file encryption rather than a single indicator.
- Account for false positives from legitimate administration, backup, maintenance, and incident response activity on virtualization hosts.
- Use the relationship context to hunt across discovery, stealth, persistence/privilege-escalation, and impact behaviors even though the malware object itself has no specified ATT&CK tactics.
Mitigation priorities
- Harden and monitor administrative access to virtualization infrastructure.
- Validate offline or otherwise resilient backups for ESXi-hosted workloads and rehearse restoration decisions.
- Restrict unnecessary service control and system process modification privileges.
- Ensure centralized logging for ESXi and related management planes cannot be easily lost during an incident.
- Maintain ransomware response playbooks that include virtualization-layer containment, evidence preservation, and business service prioritization.
Analyst notes and limits
This take is based on ATT&CK S1194 and its supplied relationships. The strongest business implication is concentration risk around VMware ESXi-hosted services and the need to prove visibility and recovery capability at that layer.
ATT&CK provides no official detection text, no malware platforms field, and no aliases for this object. VMware ESXi relevance is supported by the official description, while tactic and platform context is inferred only from the supplied relationships. Local telemetry, architecture, and control evidence are required to assess exposure or coverage.
Akira _v2
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543 | Create or Modify System Process | Akira _v2 can create a child process for encryption.CitationCISA Akira Ransomware APR 2024 |
| Enterprise | T1654 | Log Enumeration | Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems.CitationCisco Akira Ransomware OCT 2024CitationPalo Alto Howling Scorpius DEC 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | The Akira _v2 encryptor targets the `/vmfs/volumes/` path by default and can use the rust-crypto 0.2.36 library crate for the encryption processes.CitationCisco Akira Ransomware OCT 2024CitationPalo Alto Howling Scorpius DEC 2024 |
| Enterprise | T1083 | File and Directory Discovery | Akira _v2 can target specific files and folders for encryption.CitationCISA Akira Ransomware APR 2024CitationCisco Akira Ransomware OCT 2024CitationPalo Alto Howling Scorpius DEC 2024 |
| Enterprise | T1489 | Service Stop | Akira _v2 can stop running virtual machines.CitationCISA Akira Ransomware APR 2024CitationCisco Akira Ransomware OCT 2024CitationPalo Alto Howling Scorpius DEC 2024 |
| Enterprise | T1480 | Execution Guardrails | Akira _v2 will fail to execute if the targeted `/vmfs/volumes/` path does not exist or is not defined.CitationCisco Akira Ransomware OCT 2024 |
Groups, software, and campaigns
G1024: Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f0022243fe16… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA Akira Ransomware APR 2024
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
Open source URL -
[2]
Cisco Akira Ransomware OCT 2024
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
Open source URL -
[3]
Palo Alto Howling Scorpius DEC 2024
Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
Open source URL -
[4]
mitre-attack S1194Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.