(TLP:CLEAR) Joint Cybersecurity Advisory – CISA and Partners Release Advisory Update on Akira Ransomware
Created: Thursday, November 20, 2025 - 17:32
Categories: Cybersecurity, Security Preparedness
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
Summary: Last week, CISA, in collaboration with U.S. and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators of compromise, tactics, techniques, and procedures, and detection methods associated with Akira ransomware activity.
Analyst Note: The reporting agencies note that this advisory reflects new findings as of November 13, 2025, highlighting Akira ransomware’s evolution and continued threat to critical infrastructure sectors. Akira ransomware threat actors, associated with groups such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, have expanded their capabilities, targeting small and medium-sized businesses as well as larger organizations across several critical infrastructure sectors
Key Updates:
- Initial Access: Threat actors exploit vulnerabilities in edge devices and backup servers, such as authentication bypass, cross-site scripting, buffer overflow, and compromise credentials through brute-force techniques.
- Discovery: Threat actors use command line techniques to accomplish network and domain discovery.
- Defense Evasion: Threat actors use remote management and monitoring tools such as Anydesk and LogMeIn to mimic administrator activity, and modify firewall settings, terminate antivirus processes and uninstall EDR systems.
- Privilege Escalation: Threat actors deploy POORTRY malware to modify BYOVD configurations on vulnerable drivers, create administrator accounts, steal administrator login credentials, and bypass VMDK protections, as well as exploit Veeam vulnerabilities.
- Lateral Movement: Threat actors use remote access tools and protocols like RDP, SSH, and steal Kerberos authentication tickets to move within networks.
- Command and Control: Threat actors use Ngrok to establish encrypted sessions, SystemBC malware as a remote access trojan, and STONETOP malware to deploy Akira payloads.
- Exfiltration and Impact: Threat actors use protocols such as FTP, SFTP, and cloud services to exfiltrate data.
- Encryption: Threat actors use a new Akira_v2 ransomware variant that enables faster encryption speeds and further inhibits system recovery.
Network defenders are encouraged to implement the recommendations in the mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents. Organizations are encouraged to apply patches for known vulnerabilities, especially those affecting VPN products and backup servers, and enforce multifactor authentication for all remote access services. Organizations should monitor unauthorized domain account creation and unusual network activity while deploying endpoint detection and response solutions to enhance security.
Original Source: https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware
Additional Reading:
Related WaterISAC PIRs: 6, 7, 7.1, 10, 12