Date: 2026-07-08
Source: Ransomware.live / Dark Web Leak Site Monitoring
Threat Level: HIGH
1. Threat Actor Profile — AKIRA
Type: Ransomware-as-a-Service (RaaS) / Closed Affiliate Group
Known Aliases: Akira_v2
Typical Ransom Demands: $200,000 – $4,000,000 USD (varies by revenue).
TTPs Overview:
- Initial Access: Heavily reliant on valid credentials obtained via phishing, but increasingly aggressive in exploiting unpatched perimeter appliances (Firewalls, VPNs) and remote management tools (ConnectWise).
- Lateral Movement: Uses RDP for lateral spread and Cobalt Strike beacons for command and control (C2). Recent affiliates have been seen abusing PsExec and WMI for deployment.
- Double Extortion: Aggressive data theft followed by encryption. Akira maintains a dedicated leak site on the dark web where they publish samples if negotiations fail.
- Dwell Time: Typically 3–7 days. Akira actors move fast once inside, often disabling AV and security logging within hours of initial access.
2. Current Campaign Analysis
Observed Victim Count: 5 new victims posted between 2026-07-07 and 2026-07-08.
Targeted Sectors:
- Agriculture and Food Production: 20% (Wade’s Dairy)
- Business Services: 40% (RISE Architecture, Chisholm Persson & Ball)
- Consumer Services: 20% (Excalibur Rentals)
- Financial Services: 20% (Edge Solutions | Stone Ridge Payments)
Geographic Concentration:
- United Kingdom (GB): 20% (Wade’s Dairy)
- United States (US): 20% (Edge Solutions)
- Unknown: 60% (Business/Consumer services victims)
Victim Profile: The victims span mid-market organizations. The inclusion of Stone Ridge Payments (Financial) is critical; financial entities are typically harder targets, suggesting the use of a high-privilege exploit (likely CVE-2026-50751 or CVE-2026-20131). The Business Services victims (RISE, Chisholm) suggest a supply chain compromise or widespread exploitation of remote management software (ConnectWise ScreenConnect) commonly used by MSPs.
CVE Correlation & Initial Access Vectors: Based on the sectors targeted and the recent CVE additions to the CISA KEV list confirmed for ransomware use:
- CVE-2026-50751 (Check Point Security Gateway): Highly probable vector for the Financial Services victim (Edge Solutions). Allows unauthenticated access via IKEv1.
- CVE-2024-1708 (ConnectWise ScreenConnect): Strong candidate for the Business Services victims. This RCE allows attackers to bypass authentication and drop webshells.
- CVE-2026-20131 (Cisco Secure Firewall FMC): A secondary perimeter vector potentially used to bypass perimeter defenses before launching ransomware.
Escalation Pattern:
Posting frequency has spiked to 5 victims in 24 hours, indicating an active affiliate campaign leveraging the newly disclosed Check Point and Cisco vulnerabilities.
3. Detection Engineering
SIGMA Rules
---
title: Potential Check Point VPN IKEv1 Exploitation (CVE-2026-50751)
id: 12345678-abcd-efgh-ijkl-123456789012
status: experimental
description: Detects potential exploitation of Check Point Security Gateway IKEv1 improper authentication vulnerability observed in Akira campaigns.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/08
tags:
- cve.2026.50751
- attack.initial_access
- detection.emerging_threats
logsource:
product: firewall
service: check_point
detection:
selection:
protocol: 'IKE'
version: 'v1'
action: 'accept'
filter_main:
src_ip:
- '127.0.0.1'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_main
falsepositives:
- Legitimate remote access via IKEv1
level: critical
---
title: Suspicious ConnectWise ScreenConnect Process Chain
id: 87654321-dcba-hgfe-lkji-210987654321
status: experimental
description: Detects suspicious child processes spawned by ConnectWise ScreenConnect client, often associated with authentication bypass exploitation (CVE-2024-1708) and Akira ransomware deployment.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/08
tags:
- cve.2024.1708
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\ScreenConnect.ClientService.exe'
- '\ScreenConnect.WindowsClient.exe'
selection_img:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\mshta.exe'
- '\rundll32.exe'
condition: selection_parent and selection_img
falsepositives:
- Legitimate administrative use by support staff
level: high
---
title: Ransomware Data Staging via High Compression Archiving
id: 11223344-5566-7788-9900-aabbccddeeff
status: experimental
description: Detects the use of archiving tools (7-Zip/WinRAR) with maximum compression and password protection, a common TTP for Akira data exfiltration staging.
author: Security Arsenal Research
date: 2026/07/08
tags:
- attack.exfiltration
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_tool:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\rar.exe'
selection_flags:
CommandLine|contains:
- '-p'
- '-m0=lzma2'
- '-mx9'
condition: selection_tool and selection_flags
falsepositives:
- System administrator backups
level: medium
KQL Hunt Query
// Hunt for Akira Lateral Movement and Staging
// Looks for PsExec/WMI usage followed by large file modifications (Staging)
let ProcessCreation = DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ('psexec.exe', 'psexec64.exe', 'wmic.exe')
| project DeviceId, DeviceName, AccountName, InitiatingProcessCommandLine, Timestamp, ProcessFileName;
let FileActivity = DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains "\Temp\" or FolderPath contains "\AppData\Local\Temp"
| where FileSize > 10485760
| project DeviceId, DeviceName, FileName, FileSize, Timestamp;
ProcessCreation
| join kind=inner FileActivity on DeviceId
| where FileActivity.Timestamp between (ProcessCreation.Timestamp - 1h) .. (ProcessCreation.Timestamp + 4h)
| summarize count() by DeviceName, AccountName, bin(Timestamp, 1h)
PowerShell Hardening Script
<#
.SYNOPSIS
Akira Ransomware Rapid Response Hardening Script
.DESCRIPTION
Checks for signs of Akira persistence (Scheduled Tasks) and enforces hardening
against common vectors (RDP, ScreenConnect).
#>
Write-Host "[+] Starting Akira Hardening Check..." -ForegroundColor Cyan
# 1. Hunt for Suspicious Scheduled Tasks
Write-Host "[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} |
Select-Object TaskName, Author, Date, Actions |
Format-Table -AutoSize
# 2. Check for Shadow Copy Manipulation
Write-Host "[*] Checking for VSS shadow copy deletions (Event ID 4104/1)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=4104; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message | Format-List
# 3. Hardening: Disable RDP if not required
$RDPStatus = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections
if ($RDPStatus -eq 0) {
Write-Host "[!] WARNING: RDP is ENABLED. Consider disabling it via GPO or firewall rules." -ForegroundColor Red
} else {
Write-Host "[+] RDP is disabled." -ForegroundColor Green
}
# 4. Hardening: Check for ScreenConnect Web Interface exposure
Write-Host "[*] Checking for ConnectWise ScreenConnect services..." -ForegroundColor Yellow
$Service = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($Service) {
Write-Host "[!] ScreenConnect detected. Ensure web interface is patched (CVE-2024-1708) and MFA is enforced." -ForegroundColor Red
} else {
Write-Host "[+] No ScreenConnect services found." -ForegroundColor Green
}
Write-Host "[+] Script completed." -ForegroundColor Cyan
---
4. Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption)
- Check Point Logs: Scrub logs for IKEv1 connection requests from unusual geolocations.
- ScreenConnect Sessions: Audit ScreenConnect logs for "Guest" access sessions created without user initiation.
- Active Directory: Look for massive modifications to AD objects or the creation of new "Service" accounts.
Critical Assets for Exfiltration
Akira historically targets:
- Financial Records: ACH files, customer ledgers (High priority for Edge Solutions).
- Employee PII: HR databases, tax forms (W-2s).
- Intellectual Property: CAD files, architectural blueprints (High priority for RISE Architecture).
Containment Actions
- Isolate VPN Concentrators: If Check Point gateways are present, take them offline for patching if not already.
- Disable Remote Management Tools: Temporarily shut down ScreenConnect, RDP, and TeamViewer instances until verified clean.
- Suspend Domain Admin Accounts: Akira frequently attempts to dump DA credentials.
5. Hardening Recommendations
Immediate (24 Hours)
- Patch CVE-2026-50751: Apply the hotfix for Check Point Security Gateway immediately.
- Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version.
- MFA Enforcement: Ensure FIDO2 or Hardware Token MFA is enabled on all VPN and remote access portals; Akira affiliates bypass SMS/MFA easily.
Short-term (2 Weeks)
- Network Segmentation: Ensure PCI environments (like Stone Ridge Payments) are strictly isolated from general IT networks.
- E-Drift Reduction: Implement strict allow-listing for PsExec, WMI, and PowerShell remoting.
- Backup Verification: Validate that offline backups are immutable and test restores for critical financial servers.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.