Akira Ransomware: A Persistent Threat to MSP Operations

Despite being first identified in early 2023, Akira ransomware continues to pose a significant threat to managed service providers and their clients throughout 2024 and into 2025. Akira ransomware has targeted numerous small and medium businesses and MSPs. By April 2024, more than $42 million had been extorted from victims and its prevalence has only grown since then.

Akira Recommendations from CISA

The CISA advisory AA24-109A, released in April 2024, highlighted critical vulnerabilities and attack vectors that remain actively exploited by Akira operators today. Todyl continues to observe active deployments of both newer Akira variants and legacy versions that leverage the same initial access vectors outlined in the original CISA guidance, demonstrating the ransomware group's ability to target the interconnected nature of MSP environments.

CISA actions to take today to mitigate cyber threats from Akira ransomware:

• Prioritize remediating known exploited vulnerabilities.
• Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
• Regularly patch and update software and applications to their latest version and conduct regular vulnerability assessments.

Todyl’s Akira Findings: Tactics, Techniques, and Procedures (TTPs)

In attacks Todyl has monitored, the threat actor starts by bypassing the external network perimeter and gaining machine access via RDP using compromised credentials. The threat actor then performs reconnaissance, finding other machines on the network and targeting the domain controller.  

Domain reconnaissance

Using ping or PowerShell, the attacker seeks other hosts. With nltest.exe and net.exe on the domain controller, they enumerate domain admins, domain controllers, and all trusted domains in the Active Directory Forest.  

The attacker will then proceed to try to map out the network using downloaded tools and prioritize higher-level account compromise using:  

• netscan.exe
• masscan
• Advanced IP Scanner  

Threat actors also use the system’s Notepad to copy down user and domain enumeration information in .txt files.

Additional tactics

Before deploying ransomware, the attacker exfiltrates data through a cloud data provider. Interestingly, Todyl recently observed cases where threat actors uninstalled the EDR on every machine they moved to. Instead of using advanced techniques, they simply removed it through the EDR’s own uninstall process. Because the EDR wasn’t set up with tamper protection, this left an easy loophole for the attacker to exploit.

When analyzing these TTPs, it’s more than making judgements off a single data point. Instead, one must identify consistent behavior patterns. Todyl uncovered these patterns to detect and follow Akira’s various activities.

How MSPs can Combat Akira Ransomware

The ransomware group has repeatedly targeted managed service environments, with several high-profile MSP breaches documented in 2024. These attacks show a clear understanding of how to exploit MSP infrastructure to spread impact across multiple client organizations.

What to do today

• Threat intelligence from the April 2024 CISA advisory (page 5 AA24-109A) is still current and actionable. Continue to monitor for the listed indicators of compromise and other attack patterns as Todyl finds them.  
• Implement comprehensive detection and response capabilities to identify and contain Akira ransomware before it can propagate. The persistence of older attack methods underscores this critical need.
• Ensure EDR solutions are tamper proofed.
• Ensure adequate logging exists for the environment in a way that it can’t be overwritten or deleted by attackers.
• Use proper change controls and have alerts set for changes outside of routine maintenance windows.