Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1024: Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]

EnterpriseG1024GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Akira is documented by ATT&CK as a ransomware deployment entity associated with compromised credentials, single-factor external access such as VPNs, lateral movement using public tools, data theft before encryption, and double-extortion pressure. For leaders, the decision value is clear: resilience depends less on one malware signature and more on whether identity controls, remote access, Active Directory visibility, data-exfiltration monitoring, and recovery plans can withstand a credential-led ransomware intrusion.

Executive priority

Prioritize Akira as a ransomware-readiness use case for validating business continuity, identity hardening, and incident response decision-making. Executives should ask whether single-factor remote access still exists, whether privileged and domain credentials are monitored for abuse, whether sensitive data repositories such as SharePoint are covered by logging and governance, and whether recovery plans include Windows and VMware ESXi ransomware scenarios. Because ATT&CK notes double extortion, legal, communications, compliance, and data-loss response procedures should be exercised alongside technical restoration.

Technical view

ATT&CK does not provide a dedicated detection section for this group, so defenders should build coverage from the related behaviors and tools. Validate monitoring for compromised valid accounts and external remote services, especially VPN and RDP use; credential-access tooling such as Mimikatz and LaZagne; Active Directory discovery via tools such as AdFind and domain trust discovery; remote execution and remote access tooling such as PsExec and other legitimate remote access tools; PowerShell execution; archiving before exfiltration; Rclone or similar cloud-storage synchronization; ransomware execution including Akira, Megazord, and Akira _v2; and impact behaviors such as encryption and account access removal. Coverage should include both endpoint and identity/control-plane telemetry, with special attention to ESXi where Akira _v2 targeting is documented.

Likely telemetry

  • VPN, external remote service, and RDP authentication logs, including MFA status where available
  • Identity provider, Active Directory, Kerberos, and privileged-account activity logs
  • Endpoint process creation, command-line, script, and PowerShell logging
  • Remote administration and lateral movement evidence, including PsExec-like service creation or remote execution patterns
  • Credential dumping and stored-password recovery tool detections or behavioral traces

Detection direction

  • Start with identity-led intrusion detection: unusual successful logins to VPN or other external remote services, single-factor access paths, impossible travel, new device use, and anomalous privileged-account activity.
  • Correlate valid-account access with discovery and lateral movement: RDP sessions, PsExec-like remote execution, PowerShell activity, AdFind/domain trust queries, and remote system discovery should be reviewed as a sequence rather than isolated alerts.
  • Tune carefully for dual-use tools. PsExec, AdFind, Rclone, PowerShell, and remote access tools can be legitimate, so detection should emphasize unusual users, hosts, timing, command lines, destinations, volume, and proximity to credential or ransomware activity.
  • Add exfiltration-oriented analytics before encryption: archive creation followed by large outbound transfers to cloud storage services is highly relevant to the documented double-extortion pattern.
  • Validate ESXi and virtualization monitoring explicitly. ATT&CK notes Akira variants capable of targeting VMware ESXi, but many SOC programs have weaker hypervisor logging than endpoint logging.

Mitigation priorities

  • Eliminate or strongly control single-factor external access, especially VPN and remote services; require phishing-resistant or otherwise strong MFA where feasible.
  • Reduce credential blast radius through privileged access management, least privilege, service-account governance, credential hygiene, and monitoring for Kerberos abuse.
  • Harden and monitor Active Directory and remote administration pathways, including RDP, PsExec-like execution, and legitimate remote access tools.
  • Restrict and monitor unsanctioned cloud-storage synchronization and high-risk data egress, while maintaining business-approved exceptions.
  • Improve ransomware resilience with segmented backups, tested restoration, protected backup credentials, and recovery playbooks that include Windows and ESXi scenarios.
Analyst notes and limits

The supplied ATT&CK object identifies Akira as a ransomware variant and deployment entity with aliases GOLD SAHARA, PUNK SPIDER, and Howling Scorpius. The most useful defensive framing is a credential-led ransomware intrusion that may include public tools, lateral movement, data collection, cloud-storage exfiltration, and encryption. Because many related tools are legitimate administration utilities, high-quality baselining and correlation are more important than single indicator matching.

ATT&CK provides no official detection text for this group, and the group object itself lists platforms and tactics as not specified. Platform guidance here is limited to the official description and related software/technique relationships, including Windows and VMware ESXi references. Local exposure, control effectiveness, and detection coverage must be confirmed from the organization’s own identity, endpoint, network, cloud, SaaS, and hypervisor telemetry.

Official MITRE ATT&CK definition

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

17 rows
Domain ID Name Relationship / procedure
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Akira will exfiltrate victim data using applications such as Rclone.[2]
Enterprise T1213.002 Sharepoint Sub-technique

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.[2]
Enterprise T1531 Account Access Removal

Akira deletes administrator accounts in victim networks prior to encryption.[2]
Enterprise T1482 Domain Trust Discovery

Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.[1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Akira has used legitimate names and locations for files to evade defenses.[5]
Enterprise T1078 Valid Accounts

Akira uses valid account information to remotely access victim networks, such as VPN credentials.[2][1][5]
Enterprise T1558 Steal or Forge Kerberos Tickets

Akira have used scripts to dump Kerberos authentication credentials.[5]
Enterprise T1018 Remote System Discovery

Akira uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks.[1]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Akira has used RDP for lateral movement.[5]
Enterprise T1059.001 PowerShell Sub-technique

Akira has used PowerShell scripts for credential harvesting and privilege escalation.[5]
Enterprise T1657 Financial Theft

Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[3][4]
Enterprise T1486 Data Encrypted for Impact

Akira encrypts files in victim environments as part of ransomware operations.[3][4]
Enterprise T1133 External Remote Services

Akira uses compromised VPN accounts for initial access to victim networks.[2]
Enterprise T1027.001 Binary Padding Sub-technique

Akira has used binary padding to obfuscate payloads.[5]
Enterprise T1685 Disable or Modify Tools

Akira has disabled or modified security tools for defense evasion.[5]
Enterprise T1219 Remote Access Tools

Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.[2][1]
Enterprise T1560.001 Archive via Utility Sub-technique

Akira uses utilities such as WinRAR to archive data prior to exfiltration.[2]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Malware Enterprise

S1129: Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.[1][2][3]

Windows
Malware Enterprise

S1191: Megazord

Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.[1][2][3]

Windows
Tool Enterprise

S0349: LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

LinuxmacOSWindows
Tool Enterprise

S1040: Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[1][2][3][4][5]

LinuxWindowsmacOS
Relationship explorer

All related ATT&CK context

uses · Technique T1567.002: Exfiltration to Cloud Storage Enterprise uses · Technique T1213.002: Sharepoint Enterprise uses · Technique T1531: Account Access Removal Enterprise uses · Technique T1482: Domain Trust Discovery Enterprise uses · Tool S0002: Mimikatz Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1558: Steal or Forge Kerberos Tickets Enterprise uses · Tool S0029: PsExec Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1657: Financial Theft Enterprise uses · Tool S0552: AdFind Enterprise uses · Malware S1194: Akira _v2 Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Malware S1129: Akira Enterprise uses · Malware S1191: Megazord Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Technique T1027.001: Binary Padding Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1219: Remote Access Tools Enterprise uses · Tool S0349: LaZagne Enterprise uses · Tool S1040: Rclone Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
94a6589eab709b93...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 94a6589eab70…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Arctic Wolf Akira 2023

    Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.

    Open source URL
  2. [2]
    Secureworks GOLD SAHARA

    Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.

    Open source URL
  3. [3]
    BushidoToken Akira 2023

    Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.

    Open source URL
  4. [4]
    CISA Akira Ransomware APR 2024

    CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.

    Open source URL
  5. [5]
    Cisco Akira Ransomware OCT 2024

    Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.

    Open source URL
  6. [6]
    Palo Alto Howling Scorpius DEC 2024

    Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.

    Open source URL
  7. [7]
    CrowdStrike PUNK SPIDER

    CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.

    Open source URL
  8. [8]
    GOLD SAHARA

    (Citation: Secureworks GOLD SAHARA)

  9. [9]
    Howling Scorpius

    (Citation: Palo Alto Howling Scorpius DEC 2024)

  10. [10]
    PUNK SPIDER

    (Citation: CrowdStrike PUNK SPIDER)

  11. [11]
    mitre-attack G1024
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use