Since its emergence in March 2023, Akira ransomware carved out a distinct niche in the ransomware ecosystem by systematically targeting VPN appliances — particularly Cisco products — as its primary entry vector. By early 2024, Akira had compromised over 250 organizations and demanded ransom payments totaling more than $42 million, according to FBI and CISA advisories.
What made Akira noteworthy wasn't just the ransomware itself — it was the group's laser focus on exploiting network infrastructure that organizations relied on for secure remote access. In targeting VPN appliances, Akira turned the very tools organizations used to protect remote connections into the entry point for devastating attacks.
The VPN Problem
Akira's primary initial access technique exploited a fundamental tension in enterprise security: VPN appliances must be exposed to the internet to function, making them permanently visible targets.
The group systematically exploited several Cisco VPN vulnerabilities:
CVE-2023-20269: A zero-day vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that allowed unauthorized remote access VPN sessions. The vulnerability existed in the management and VPN web server, enabling brute-force attacks against VPN credentials without triggering lockout policies.
Credential stuffing against single-factor VPN: Many organizations running Cisco VPNs had not implemented multi-factor authentication. Akira operators used automated tools to test credentials harvested from data breaches against VPN login portals, gaining access wherever single-factor authentication was in use.
CVE-2020-3259: An older vulnerability in Cisco ASA and FTD that could leak usernames and session tokens from the device's memory. Though patched in 2020, many organizations had not applied the fix.
The pattern was clear: Akira operators scanned the internet for Cisco VPN appliances, identified vulnerable or poorly configured instances, and used these as their entry point. This wasn't sophisticated exploitation — it was systematic targeting of known weaknesses at scale.
Technical Profile
The Ransomware Payload
Akira developed both Windows and Linux variants of their ransomware:
Windows variant: Written in C++, using ChaCha20 and RSA encryption. The payload targeted specific file extensions and could encrypt local drives, network shares, and mounted volumes. It excluded system-critical directories to keep the system bootable — necessary for victims to read the ransom note and pay.
Linux/ESXi variant: Written in Rust (following the trend set by BlackCat), targeting VMware ESXi virtual machines. This variant could encrypt virtual machine disk files, shutting down entire virtualization environments. The ESXi focus reflected the reality that many organizations run critical workloads on VMware infrastructure.
Post-Exploitation Methodology
After gaining VPN access, Akira operators followed a consistent playbook:
- Establish persistence: Deploy legitimate remote access tools (AnyDesk, RustDesk) as backup access methods
- Credential harvesting: Use Mimikatz and LaZagne to extract domain credentials from memory
- Network reconnaissance: Map the internal network using Active Directory queries and network scanning tools
- Lateral movement: Use RDP and SMB with harvested credentials to access additional systems
- Data exfiltration: Use tools like WinSCP, rclone, or FileZilla to steal data for double extortion
- Security tool disablement: PowerShell commands to disable Windows Defender, and targeting third-party antivirus through legitimate uninstall procedures
- Backup destruction: Specifically targeting backup solutions including Veeam, Acronis, and shadow copies
- Ransomware deployment: Coordinated deployment across the network, typically via PsExec or GPO
Conti Connection
Analysis of Akira's code and infrastructure revealed significant overlaps with the Conti ransomware, suggesting that Akira operators were former Conti affiliates or had access to Conti's codebase. Blockchain analysis also showed connections between Akira cryptocurrency wallets and those previously associated with Conti operations.
This lineage made sense — the Conti dissolution in mid-2022 scattered experienced operators across the ecosystem, and Akira bore the fingerprints of operators who knew exactly how to run a ransomware campaign.
The Supply Chain Dimension
Akira's VPN targeting represents a supply chain attack in a broader sense — the attack surface isn't in your code, it's in the infrastructure products you deploy to run your business.
VPN as Supply Chain
VPN appliances are supply chain components. Organizations purchase them from vendors (Cisco, Fortinet, Palo Alto Networks, etc.), deploy them as critical infrastructure, and depend on the vendor to deliver secure products and timely patches. When a vulnerability exists in that product, it becomes a supply chain weakness — one that affects every organization running the vulnerable version.
Akira exploited this dynamic at scale. Rather than targeting individual organizations, they targeted a class of products, effectively compromising the VPN "supply chain" across hundreds of organizations simultaneously.
MSP Targeting
Akira also targeted managed service providers through VPN exploitation. When an MSP's VPN was compromised, the attackers gained access to the management infrastructure that connected to client networks. Several documented Akira incidents traced back to MSP compromises, creating a multiplier effect similar to the Kaseya attack pattern.
VMware Infrastructure
By developing a Linux/ESXi variant, Akira targeted the virtualization supply chain. VMware ESXi servers often host the most critical workloads — domain controllers, database servers, application servers. Encrypting the ESXi layer effectively encrypted everything running on it, maximizing impact from a single compromise point.
Victim Profile
Akira's victim base was diverse but skewed toward small and medium businesses:
- Manufacturing: Production systems and supply chain management platforms
- Professional services: Law firms, consulting companies, accounting firms
- Healthcare: Clinics, specialty providers, and healthcare IT companies
- Education: Universities and school districts
- Financial services: Small banks, credit unions, and financial technology companies
The SMB focus wasn't coincidental — these organizations were more likely to have under-resourced IT teams, unpatched VPN appliances, and single-factor authentication on remote access.
Defensive Priorities
Akira's methodology highlighted several urgent defensive measures:
MFA on all VPN access: The single most effective mitigation against Akira's primary entry vector. Organizations using single-factor authentication on VPN are essentially leaving the front door unlocked.
VPN appliance patching: Treating VPN appliances as critical infrastructure requiring rapid patching when vulnerabilities are disclosed. The lag between patch availability and patch application is where Akira operated.
Network monitoring for VPN anomalies: Monitoring VPN sessions for unusual patterns — logins from unexpected locations, connections at unusual hours, multiple failed authentication attempts.
Backup isolation: Ensuring backup infrastructure cannot be reached from compromised network segments. Akira consistently targeted backup systems.
ESXi hardening: Limiting management access to ESXi hosts, enabling lockdown mode, and ensuring ESXi systems are patched.
How Safeguard.sh Helps
Akira's systematic exploitation of VPN infrastructure underscores a critical point: your security is defined by every component in your technology supply chain, including the network appliances and infrastructure software you depend on.
Safeguard.sh provides comprehensive visibility across your software supply chain, tracking not just application-level dependencies but the full technology stack that supports your operations. The platform's vulnerability monitoring ensures that when a critical CVE is disclosed for a component in your supply chain — whether it's a library in your application code or a VPN appliance on your network — you have immediate awareness of your exposure.
By maintaining a real-time inventory of your technology components and their known vulnerabilities, Safeguard.sh helps you prioritize patching for the infrastructure that attackers like Akira target first. In a threat landscape where VPN appliances are the front door, knowing what's in your supply chain isn't just good practice — it's the first step in keeping that door locked.