Back to Intelligence

AKIRA Ransomware: 5 New Victims — Financial & Agri-Sector Surge & Critical Firewall Exploits

SA
Security Arsenal Team
July 8, 2026
7 min read

Date: 2026-07-08
Source: Ransomware.live / Dark Web Leak Site Monitoring
Threat Level: HIGH


1. Threat Actor Profile — AKIRA

Type: Ransomware-as-a-Service (RaaS) / Closed Affiliate Group
Known Aliases: Akira_v2
Typical Ransom Demands: $200,000 – $4,000,000 USD (varies by revenue).

TTPs Overview:

  • Initial Access: Heavily reliant on valid credentials obtained via phishing, but increasingly aggressive in exploiting unpatched perimeter appliances (Firewalls, VPNs) and remote management tools (ConnectWise).
  • Lateral Movement: Uses RDP for lateral spread and Cobalt Strike beacons for command and control (C2). Recent affiliates have been seen abusing PsExec and WMI for deployment.
  • Double Extortion: Aggressive data theft followed by encryption. Akira maintains a dedicated leak site on the dark web where they publish samples if negotiations fail.
  • Dwell Time: Typically 3–7 days. Akira actors move fast once inside, often disabling AV and security logging within hours of initial access.

2. Current Campaign Analysis

Observed Victim Count: 5 new victims posted between 2026-07-07 and 2026-07-08.

Targeted Sectors:

  • Agriculture and Food Production: 20% (Wade’s Dairy)
  • Business Services: 40% (RISE Architecture, Chisholm Persson & Ball)
  • Consumer Services: 20% (Excalibur Rentals)
  • Financial Services: 20% (Edge Solutions | Stone Ridge Payments)

Geographic Concentration:

  • United Kingdom (GB): 20% (Wade’s Dairy)
  • United States (US): 20% (Edge Solutions)
  • Unknown: 60% (Business/Consumer services victims)

Victim Profile: The victims span mid-market organizations. The inclusion of Stone Ridge Payments (Financial) is critical; financial entities are typically harder targets, suggesting the use of a high-privilege exploit (likely CVE-2026-50751 or CVE-2026-20131). The Business Services victims (RISE, Chisholm) suggest a supply chain compromise or widespread exploitation of remote management software (ConnectWise ScreenConnect) commonly used by MSPs.

CVE Correlation & Initial Access Vectors: Based on the sectors targeted and the recent CVE additions to the CISA KEV list confirmed for ransomware use:

  • CVE-2026-50751 (Check Point Security Gateway): Highly probable vector for the Financial Services victim (Edge Solutions). Allows unauthenticated access via IKEv1.
  • CVE-2024-1708 (ConnectWise ScreenConnect): Strong candidate for the Business Services victims. This RCE allows attackers to bypass authentication and drop webshells.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): A secondary perimeter vector potentially used to bypass perimeter defenses before launching ransomware.

Escalation Pattern:
Posting frequency has spiked to 5 victims in 24 hours, indicating an active affiliate campaign leveraging the newly disclosed Check Point and Cisco vulnerabilities.


3. Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point VPN IKEv1 Exploitation (CVE-2026-50751)
id: 12345678-abcd-efgh-ijkl-123456789012
status: experimental
description: Detects potential exploitation of Check Point Security Gateway IKEv1 improper authentication vulnerability observed in Akira campaigns.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/08
tags:
    - cve.2026.50751
    - attack.initial_access
    - detection.emerging_threats
logsource:
    product: firewall
    service: check_point
detection:
    selection:
        protocol: 'IKE'
        version: 'v1'
        action: 'accept'
    filter_main:
        src_ip:
            - '127.0.0.1'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter_main
falsepositives:
    - Legitimate remote access via IKEv1
level: critical
---
title: Suspicious ConnectWise ScreenConnect Process Chain
id: 87654321-dcba-hgfe-lkji-210987654321
status: experimental
description: Detects suspicious child processes spawned by ConnectWise ScreenConnect client, often associated with authentication bypass exploitation (CVE-2024-1708) and Akira ransomware deployment.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/08
tags:
    - cve.2024.1708
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: 
            - '\ScreenConnect.ClientService.exe'
            - '\ScreenConnect.WindowsClient.exe'
    selection_img:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
    condition: selection_parent and selection_img
falsepositives:
    - Legitimate administrative use by support staff
level: high
---
title: Ransomware Data Staging via High Compression Archiving
id: 11223344-5566-7788-9900-aabbccddeeff
status: experimental
description: Detects the use of archiving tools (7-Zip/WinRAR) with maximum compression and password protection, a common TTP for Akira data exfiltration staging.
author: Security Arsenal Research
date: 2026/07/08
tags:
    - attack.exfiltration
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_tool:
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\rar.exe'
    selection_flags:
        CommandLine|contains:
            - '-p'
            - '-m0=lzma2'
            - '-mx9'
    condition: selection_tool and selection_flags
falsepositives:
    - System administrator backups
level: medium

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for Akira Lateral Movement and Staging
// Looks for PsExec/WMI usage followed by large file modifications (Staging)
let ProcessCreation = DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where InitiatingProcessFileName in ('psexec.exe', 'psexec64.exe', 'wmic.exe') 
| project DeviceId, DeviceName, AccountName, InitiatingProcessCommandLine, Timestamp, ProcessFileName;
let FileActivity = DeviceFileEvents 
| where Timestamp > ago(7d) 
| where FolderPath contains "\Temp\" or FolderPath contains "\AppData\Local\Temp" 
| where FileSize > 10485760 
| project DeviceId, DeviceName, FileName, FileSize, Timestamp;
ProcessCreation 
| join kind=inner FileActivity on DeviceId 
| where FileActivity.Timestamp between (ProcessCreation.Timestamp - 1h) .. (ProcessCreation.Timestamp + 4h)
| summarize count() by DeviceName, AccountName, bin(Timestamp, 1h)

PowerShell Hardening Script

PowerShell
<#
    .SYNOPSIS
    Akira Ransomware Rapid Response Hardening Script
    .DESCRIPTION
    Checks for signs of Akira persistence (Scheduled Tasks) and enforces hardening
    against common vectors (RDP, ScreenConnect).
#>

Write-Host "[+] Starting Akira Hardening Check..." -ForegroundColor Cyan

# 1. Hunt for Suspicious Scheduled Tasks
Write-Host "[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
    Select-Object TaskName, Author, Date, Actions | 
    Format-Table -AutoSize

# 2. Check for Shadow Copy Manipulation
Write-Host "[*] Checking for VSS shadow copy deletions (Event ID 4104/1)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=4104; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
    Select-Object TimeCreated, Message | Format-List

# 3. Hardening: Disable RDP if not required
$RDPStatus = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections
if ($RDPStatus -eq 0) {
    Write-Host "[!] WARNING: RDP is ENABLED. Consider disabling it via GPO or firewall rules." -ForegroundColor Red
} else {
    Write-Host "[+] RDP is disabled." -ForegroundColor Green
}

# 4. Hardening: Check for ScreenConnect Web Interface exposure
Write-Host "[*] Checking for ConnectWise ScreenConnect services..." -ForegroundColor Yellow
$Service = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($Service) {
    Write-Host "[!] ScreenConnect detected. Ensure web interface is patched (CVE-2024-1708) and MFA is enforced." -ForegroundColor Red
} else {
    Write-Host "[+] No ScreenConnect services found." -ForegroundColor Green
}

Write-Host "[+] Script completed." -ForegroundColor Cyan


---

4. Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  • Check Point Logs: Scrub logs for IKEv1 connection requests from unusual geolocations.
  • ScreenConnect Sessions: Audit ScreenConnect logs for "Guest" access sessions created without user initiation.
  • Active Directory: Look for massive modifications to AD objects or the creation of new "Service" accounts.

Critical Assets for Exfiltration

Akira historically targets:

  1. Financial Records: ACH files, customer ledgers (High priority for Edge Solutions).
  2. Employee PII: HR databases, tax forms (W-2s).
  3. Intellectual Property: CAD files, architectural blueprints (High priority for RISE Architecture).

Containment Actions

  1. Isolate VPN Concentrators: If Check Point gateways are present, take them offline for patching if not already.
  2. Disable Remote Management Tools: Temporarily shut down ScreenConnect, RDP, and TeamViewer instances until verified clean.
  3. Suspend Domain Admin Accounts: Akira frequently attempts to dump DA credentials.

5. Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2026-50751: Apply the hotfix for Check Point Security Gateway immediately.
  • Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version.
  • MFA Enforcement: Ensure FIDO2 or Hardware Token MFA is enabled on all VPN and remote access portals; Akira affiliates bypass SMS/MFA easily.

Short-term (2 Weeks)

  • Network Segmentation: Ensure PCI environments (like Stone Ridge Payments) are strictly isolated from general IT networks.
  • E-Drift Reduction: Implement strict allow-listing for PsExec, WMI, and PowerShell remoting.
  • Backup Verification: Validate that offline backups are immutable and test restores for critical financial servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangakiraakira-ransomwarefinancial-servicesagricultureransomware-intelcve-2026-50751

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.