AKIRA ransomware is a relatively new but highly capable threat actor that has rapidly gained attention since its identification in May 2023, particularly for its impact on healthcare organizations in the United States and abroad. It is known for its double-extortion model, in which attackers encrypt a victim’s data, exfiltrate sensitive information, and threaten to publish it unless an additional payment is made.
Their operations typically begin with compromised credentials, and they maintain persistence by abusing legitimate remote access tools such as AnyDesk and LogMeIn. Once inside, they frequently delete Volume Shadow Copy Service backups through PowerShell commands, leaving organizations with limited recovery options if they refuse to pay.
Healthcare entities face unusually high levels of risk from AKIRA for several reasons. Health data is among the most sensitive and valuable information on the black market, and its exposure can directly compromise patient privacy and care. Many healthcare systems also rely on outdated or fragmented IT infrastructure, creating ideal conditions for credential theft, privilege escalation, and network traversal.
JAMA Network indexed peer-reviewed cohort study found that “the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients.” This pattern of frequency and sophistication shows us why attacks like AKIRA are so disruptive.
Akira is widely believed to be linked to former Conti ransomware operators, who dispersed in 2022 after a series of high-impact attacks across multiple sectors. Many researchers point to similarities in encryption routines, infrastructure reuse, and communication patterns that suggest a migration of talent from Conti to Akira.
Akira’s adoption of a ransomware-as-a-service (RaaS) model allowed affiliates to run attacks across diverse environments, enabling rapid proliferation. As the CISA joint advisory on Akira notes, “Akira threat actors…have also impacted larger organizations across various sectors, with a notable preference for organizations in the…healthcare and public health sectors.”
Flexibility has made the group especially effective at targeting modern healthcare systems. Their intrusions typically begin with exploited VPN vulnerabilities, stolen remote access credentials, or successful phishing attempts. Once inside, the attackers deploy strong encryption, using ChaCha20 combined with RSA-4096, to lock down systems in ways that are almost impossible to undo without the decryption keys.
The connection to Conti’s playbook has made Akira particularly dangerous for healthcare organizations. It inherited proven methods for infiltrating medical networks and refined them into an aggressive double-extortion approach: stealing sensitive protected health information, threatening to leak it, and encrypting entire domains to halt clinical operations. The result is a threat actor that not only disrupts care but also places patient privacy and safety at direct risk.
Akira first appeared in early 2023 as a Windows-focused ransomware strain, but it didn’t stay that way for long. By June of that year, incident responders began seeing a dedicated Linux version in the wild, confirming that Akira’s operators were deliberately expanding their reach.
According to the HHS HC3 analyst note on Akira, “A Linux variant was subsequently deployed to target VMware ESXi VMs in April 2023,” marking a major escalation in Akira’s capabilities.
Analysts found the new variant being used to attack VMware ESXi servers, an especially troubling development because ESXi hosts are the backbone of many healthcare and enterprise environments. The Windows version had already been aggressive, relying on Windows CryptoAPI, avoiding system folders, and appending “.akira” to encrypted files.
The Linux version went further, adding additional symmetric algorithms like AES, CAMELLIA, DES, and IDEA, focusing on the virtualized infrastructure that keeps hospitals and large businesses running.
Akira’s capabilities continued to grow. By late 2024 and into early 2025, a major update, now known as Akira_v2, started appearing in investigations. Instead of the earlier C++ approach, the group moved to a Rust-based payload, a change that made detection and analysis dramatically harder for many security tools.
The note explains, “Akira threat actors have also begun leveraging a Rust-based encryptor observed in newer attacks,” something that security teams quickly recognized as a jump in sophistication. This version was designed to run seamlessly across Windows, Linux, VMware ESXi, and even Nutanix AHV environments, giving Akira a wide range of targets.
It refined its hybrid encryption model using ChaCha20 for speed and RSA-4096 for key protection, and it went after backup archives and virtual disk images in a much more intentional way. Analysts also observed faster scanning, smoother lateral movement, and more automated exfiltration using tools like RClone, WinSCP, and Mega. Combined with improved routines for wiping shadow copies and backup snapshots, Akira_v2 represented an escalation.
By 2025, Akira had evolved into a fully mature, multi-platform ransomware operation with a level of agility rarely seen in previous families. There were campaigns where attackers launched several encryptors at once across Windows, Linux, ESXi, and Nutanix AHV, effectively crippling entire data centers in a single wave. Investigators report that the group’s dwell time has shortened dramatically, with some victims seeing full encryption only hours after the initial intrusion.
As the HHS HC3 analyst note observed, “Akira continues to evolve, creating variants with more sophisticated capabilities and targeting a wider range of systems,” a trend that has only accelerated through 2024 and into 2025.
During that time, Akira operators rapidly harvest credentials with tools like Mimikatz and LaZagne, perform network scans with Advanced IP Scanner, and map out entire domains before locking them down. Their exfiltration methods have also expanded, incorporating encrypted tunnels, cloud-based storage, and traditional FTP/SFTP channels. Meanwhile, the attackers increasingly target backup servers and cloud-managed systems in an attempt to cut off recovery paths entirely.
One of the most common entry points is an unprotected VPN. When a VPN appliance doesn’t have multifactor authentication enabled, or when it’s running with a known flaw, Akira operators move fast. They frequently exploit vulnerabilities in Cisco VPN devices, including CVE-2020-3259 and the more recent zero-day CVE-2023-20269, to slip past the perimeter and get a foothold inside a victim’s environment.
If a vulnerable VPN isn’t available, they often fall back on something even simpler: weak, reused, or stolen credentials. Brute-forcing or logging in with compromised passwords through exposed services like RDP remains one of the group’s easiest wins. This trend fits the broader surge in ransomware activity during recent years, as one Computer Security study noted that “the COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks.”
Akira’s operators send highly convincing emails meant to trick users into handing over credentials or opening files that launch malware. Once they’re in, the attackers immediately start collecting more access. Tools like Mimikatz and LaZagne help them pull credentials straight from memory, which they use to escalate privileges and move deeper into the network. To stay hidden, they rely on legitimate remote-access tools, AnyDesk, Radmin, and even built-in PowerShell, so their activity blends in with normal administrative behavior.
As they spread through the environment, Akira operators systematically make recovery harder. They delete Volume Shadow Copies and snapshot backups with PowerShell commands, ensuring victims have few options beyond paying. Before launching the final encryption stage, they quietly exfiltrate data using RClone, WinSCP, or similar tools. Only once the theft is complete do they deploy their hybrid ChaCha20-and-RSA ransomware, locking files and often appending “.akira” to everything they encrypt.
Akira hits healthcare where it hurts most: its sprawling, interconnected IT systems. Hospitals rely on electronic health records, diagnostic imaging platforms, lab software, and billing systems to keep care moving. When ransomware takes those systems offline, everything slows to a crawl. Clinicians are pushed back to paper charts, results take longer to process, and teams struggle to coordinate care without access to the digital tools they use every day.
These disruptions translate into delayed diagnoses, canceled procedures, longer hospital stays, and a much higher chance of medical errors. These ripple effects show that ransomware-related downtime has been linked to spikes in emergency cases, such as strokes and cardiac arrests, where patients faced worse outcomes because staff were overwhelmed or forced to divert ambulances to other hospitals.
In the advisories mentioned above, federal agencies like HHS and CISA have repeatedly warned that healthcare has become a prime target because of its dependence on legacy systems, the high value of medical data, and the life-or-death nature of clinical operations. Akira’s double-extortion model, locking systems while threatening to leak stolen data, adds intense pressure on hospitals to pay quickly, reinforcing the need for stronger cybersecurity, better patching practices, and sector-specific defenses that reflect how vulnerable healthcare has become.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A ransomware group is a criminal organization that develops, distributes, or operates ransomware to extort victims by encrypting or stealing data.
Most ransomware groups run as RaaS, where core developers lease their malware to affiliates who carry out attacks.
They target healthcare because medical data is extremely valuable and hospitals are more likely to pay due to operations.