Back to Intelligence

AKIRA Ransomware Gang: US Infrastructure Under Siege — CVE Exploitation & Detection Engineering

SA
Security Arsenal Team
July 18, 2026
6 min read

Date: 2026-07-18
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intelligence Unit


Threat Actor Profile — AKIRA

  • Type: Closed-group operation with sporadic affiliate usage. Focuses heavily on double extortion tactics, utilizing a custom Rust-based encryptor.
  • Ransom Demands: Historically ranges from $200,000 to $4 million, typically negotiated down to ~50-60% of initial ask.
  • Initial Access Vectors: AKIRA demonstrates a high proficiency in exploiting external-facing vulnerabilities, particularly VPNs and remote management tools (e.g., Cisco VPN, Check Point, ScreenConnect). Phishing with macro-laden documents is a secondary vector.
  • TTPs:
    • Lateral Movement: Heavy reliance on valid credentials dumped via Mimikatz or LaZagne. Uses PsExec, WMI, and custom PowerShell scripts for propagation.
    • Data Exfiltration: Uses WinSCP, Rclone, and MEGA for staging and exfiltration prior to encryption.
    • Dwell Time: Short and aggressive. Recent campaigns show a dwell time of 3–7 days between initial access and detonation.

Current Campaign Analysis

Targeting Overview

AKIRA has posted 4 new victims between 2026-07-15 and 2026-07-17, marking a concentrated burst in activity targeting US-based entities.

  • Sectors Targeted:

    • Telecommunication: Westcoast Communication Services (2026-07-17)
    • Transportation/Logistics: Nesco Bus Maintenance (2026-07-17)
    • Manufacturing: Plumley Engineering (2026-07-16)
    • Construction: Pioneer Construction (2026-07-15)
  • Geographic Focus: 100% United States. This suggests a specific focus on the North American market, potentially leveraging供应 chain compromises common in these sectors or targeting regional MSPs.

  • Victim Profile: The targets appear to be mid-market organizations. These sectors (Telecom, Construction, Logistics) possess high-value intellectual property and operational data but often lack the robust 24/7 SOC monitoring of enterprise finance/healthcare, making them ideal prey for AKIRA.

CVE Connection & Initial Access

Based on the CISA Known Exploited Vulnerabilities (KEV) catalog overlapping with this campaign, we assess with high confidence that AKIRA is actively exploiting the following:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): The addition of this to KEV in April and its prevalence in ransomware initial access suggests AKIRA is leveraging unpatched ScreenConnect instances to gain remote code execution (RCE).
  2. CVE-2026-50751 (Check Point Security Gateway): Targeting a Telecommunication provider (Westcoast) strongly correlates with the exploitation of perimeter firewall/VPN vulnerabilities to bypass network defenses.
  3. CVE-2023-21529 (Microsoft Exchange): Historically used for persistence or credential harvesting.

Posting Frequency

The group is posting victims on a near-daily basis. This escalation usually indicates an automated leak site process or a "crunch time" effort to pressure victims after failed negotiations.


Detection Engineering

SIGMA Rules

YAML
---
title: Potential AKIRA Initial Access via ConnectWise ScreenConnect
id: 8a4f1b2c-9d3e-4f5a-8b7c-1d2e3f4a5b6c
description: Detects path traversal exploitation attempts associated with CVE-2024-1708 on ConnectWise ScreenConnect servers, a known AKIRA vector.
status: stable
author: Security Arsenal
date: 2026/07/18
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: connectwise_screenconnect
detection:
    selection:
        cs-uri-query|contains:
            - '..%2f'
            - '..\\'
    condition: selection
falsepositives:
    - Vulnerability scanners
level: critical
---
title: AKIRA Lateral Movement via PsExec and WMI
id: 9b5g2c3d-0e4f-5g6a-9c8d-2e3f4a5b6c7d
description: Detects lateral movement patterns consistent with AKIRA operators using PsExec or WMI for payload deployment.
status: stable
author: Security Arsenal
date: 2026/07/18
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith: '\\psexec.exe'
        CommandLine|contains: 
            - '-accepteula'
    selection_wmi:
        Image|endswith: '\\wmic.exe'
        CommandLine|contains: 'process call create'
    condition: 1 of selection*
falsepositives:
    - System administration
level: high
---
title: AKIRA Data Staging via WinSCP
id: 0c6h3d4e-1f5g-6h7a-0d9e-3f4a5b6c7d8e
description: Detects the use of WinSCP with scripting parameters, often used by AKIRA for bulk data exfiltration prior to encryption.
status: stable
author: Security Arsenal
date: 2026/07/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\winscp.exe'
        CommandLine|contains:
            - '/script='
            - '/command='
    condition: selection
falsepositives:
    - Legitimate automated file transfers
level: medium

KQL (Microsoft Sentinel)

Hunt for lateral movement and PowerShell execution patterns associated with AKIRA's staging phase.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
// Hunt for encoded PowerShell commands often used for staging/deobfuscation
| where ProcessCommandLine has \"powershell\" and (ProcessCommandLine has \"-enc\" or ProcessCommandLine has \"-encodedcommand\")
// Filter for common Akira staging tools or behaviors
| where ProcessCommandLine has_any(\"IEX\", \"Invoke-WebRequest\", \"DownloadString\", \"FromBase64String\")
// Correlate with network connections (if available) or specific file paths
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

PowerShell Response Script

Rapid response script to identify common persistence and exfil indicators used by AKIRA.

PowerShell
# AKIRA Ransomware - Rapid Response Indicator Hunt
# Requires Administrative Privileges

Write-Host \"[+] Hunting for AKIRA Indicators of Compromise...\" -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days (Persistence)
Write-Host \"\
[*] Checking for recently created Scheduled Tasks...\" -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
    Select-Object TaskName, Date, Author, TaskPath, Action

# 2. Check for WinSCP process history (Exfil)
Write-Host \"\
[*] Checking for WinSCP execution artifacts...\" -ForegroundColor Yellow
$winscpPath = \"C:\\Users\\*\\AppData\\Local\\WinSCP*\"
if (Test-Path $winscpPath) {
    Get-ChildItem -Path $winscpPath -Recurse -Filter \"WinSCP.ini\" -ErrorAction SilentlyContinue | 
    Select-Object FullName, LastWriteTime
} else {
    Write-Host \"No WinSCP directory found.\" -ForegroundColor Gray
}

# 3. Audit Volume Shadow Copies (Deleted or Manipulated)
Write-Host \"\
[*] Checking Volume Shadow Copy health...\" -ForegroundColor Yellow
try {
    vssadmin list shadows 2>&1 | Select-String \"Shadow Copy Volume\"
} catch {
    Write-Host \"Could not query VSS. Check permissions.\" -ForegroundColor Red
}

Write-Host \"\
[+] Hunt Complete. Review output for anomalies.\" -ForegroundColor Green


---

Incident Response Priorities

  1. T-Minus Detection Checklist:

    • Check Point / Cisco FMC Logs: Immediate review for authentication anomalies or IKEv1 failures (CVE-2026-50751 / CVE-2026-20131).
    • ScreenConnect Audit: Audit all ScreenConnect session logs for unexpected logins or path traversal attempts (CVE-2024-1708).
    • PowerShell Logs: Look for Invoke-Expression or base64 encoded strings originating from non-admin accounts.
  2. Critical Assets (Exfiltration Targets):

    • Telecom: Customer PII, Call Detail Records (CDR), Network topology diagrams.
    • Manufacturing: CAD drawings, Intellectual Property, ERP databases.
    • Logistics: Shipment manifests, Supplier contracts, Pricing models.
  3. Containment Actions (Urgency Order):

    • Immediate: Isolate assets running vulnerable versions of Check Point / ScreenConnect. Reset credentials for service accounts used by these tools.
    • High: Block outbound traffic to known exfil domains (MEGA, anonymizing file hosts) at the firewall.
    • Medium: Disable the PsExec and WMI services on non-admin workstations via GPO if widespread lateral movement is suspected.

Hardening Recommendations

  • Immediate (24 Hours):

    • Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-50751 (Check Point) immediately. If patching is impossible, disable the services or enforce strict MFA/VPN allow-listing.
    • Disable RDP: Close RDP ports from the internet. AKIRA frequently targets exposed RDP.
  • Short-Term (2 Weeks):

    • Network Segmentation: Ensure Telecom/OT environments are logically separated from IT admin networks to prevent lateral movement from a single compromised workstation.
    • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and remote access portals.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangakiraransomwaretelecommanufacturingcve-2024-1708exfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.