Date: 2026-07-18
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intelligence Unit
Threat Actor Profile — AKIRA
- Type: Closed-group operation with sporadic affiliate usage. Focuses heavily on double extortion tactics, utilizing a custom Rust-based encryptor.
- Ransom Demands: Historically ranges from $200,000 to $4 million, typically negotiated down to ~50-60% of initial ask.
- Initial Access Vectors: AKIRA demonstrates a high proficiency in exploiting external-facing vulnerabilities, particularly VPNs and remote management tools (e.g., Cisco VPN, Check Point, ScreenConnect). Phishing with macro-laden documents is a secondary vector.
- TTPs:
- Lateral Movement: Heavy reliance on valid credentials dumped via
MimikatzorLaZagne. UsesPsExec,WMI, and custom PowerShell scripts for propagation. - Data Exfiltration: Uses
WinSCP,Rclone, andMEGAfor staging and exfiltration prior to encryption. - Dwell Time: Short and aggressive. Recent campaigns show a dwell time of 3–7 days between initial access and detonation.
- Lateral Movement: Heavy reliance on valid credentials dumped via
Current Campaign Analysis
Targeting Overview
AKIRA has posted 4 new victims between 2026-07-15 and 2026-07-17, marking a concentrated burst in activity targeting US-based entities.
-
Sectors Targeted:
- Telecommunication: Westcoast Communication Services (2026-07-17)
- Transportation/Logistics: Nesco Bus Maintenance (2026-07-17)
- Manufacturing: Plumley Engineering (2026-07-16)
- Construction: Pioneer Construction (2026-07-15)
-
Geographic Focus: 100% United States. This suggests a specific focus on the North American market, potentially leveraging供应 chain compromises common in these sectors or targeting regional MSPs.
-
Victim Profile: The targets appear to be mid-market organizations. These sectors (Telecom, Construction, Logistics) possess high-value intellectual property and operational data but often lack the robust 24/7 SOC monitoring of enterprise finance/healthcare, making them ideal prey for AKIRA.
CVE Connection & Initial Access
Based on the CISA Known Exploited Vulnerabilities (KEV) catalog overlapping with this campaign, we assess with high confidence that AKIRA is actively exploiting the following:
- CVE-2024-1708 (ConnectWise ScreenConnect): The addition of this to KEV in April and its prevalence in ransomware initial access suggests AKIRA is leveraging unpatched ScreenConnect instances to gain remote code execution (RCE).
- CVE-2026-50751 (Check Point Security Gateway): Targeting a Telecommunication provider (Westcoast) strongly correlates with the exploitation of perimeter firewall/VPN vulnerabilities to bypass network defenses.
- CVE-2023-21529 (Microsoft Exchange): Historically used for persistence or credential harvesting.
Posting Frequency
The group is posting victims on a near-daily basis. This escalation usually indicates an automated leak site process or a "crunch time" effort to pressure victims after failed negotiations.
Detection Engineering
SIGMA Rules
---
title: Potential AKIRA Initial Access via ConnectWise ScreenConnect
id: 8a4f1b2c-9d3e-4f5a-8b7c-1d2e3f4a5b6c
description: Detects path traversal exploitation attempts associated with CVE-2024-1708 on ConnectWise ScreenConnect servers, a known AKIRA vector.
status: stable
author: Security Arsenal
date: 2026/07/18
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: web
product: connectwise_screenconnect
detection:
selection:
cs-uri-query|contains:
- '..%2f'
- '..\\'
condition: selection
falsepositives:
- Vulnerability scanners
level: critical
---
title: AKIRA Lateral Movement via PsExec and WMI
id: 9b5g2c3d-0e4f-5g6a-9c8d-2e3f4a5b6c7d
description: Detects lateral movement patterns consistent with AKIRA operators using PsExec or WMI for payload deployment.
status: stable
author: Security Arsenal
date: 2026/07/18
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
Image|endswith: '\\psexec.exe'
CommandLine|contains:
- '-accepteula'
selection_wmi:
Image|endswith: '\\wmic.exe'
CommandLine|contains: 'process call create'
condition: 1 of selection*
falsepositives:
- System administration
level: high
---
title: AKIRA Data Staging via WinSCP
id: 0c6h3d4e-1f5g-6h7a-0d9e-3f4a5b6c7d8e
description: Detects the use of WinSCP with scripting parameters, often used by AKIRA for bulk data exfiltration prior to encryption.
status: stable
author: Security Arsenal
date: 2026/07/18
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\winscp.exe'
CommandLine|contains:
- '/script='
- '/command='
condition: selection
falsepositives:
- Legitimate automated file transfers
level: medium
KQL (Microsoft Sentinel)
Hunt for lateral movement and PowerShell execution patterns associated with AKIRA's staging phase.
DeviceProcessEvents
| where Timestamp > ago(7d)
// Hunt for encoded PowerShell commands often used for staging/deobfuscation
| where ProcessCommandLine has \"powershell\" and (ProcessCommandLine has \"-enc\" or ProcessCommandLine has \"-encodedcommand\")
// Filter for common Akira staging tools or behaviors
| where ProcessCommandLine has_any(\"IEX\", \"Invoke-WebRequest\", \"DownloadString\", \"FromBase64String\")
// Correlate with network connections (if available) or specific file paths
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
PowerShell Response Script
Rapid response script to identify common persistence and exfil indicators used by AKIRA.
# AKIRA Ransomware - Rapid Response Indicator Hunt
# Requires Administrative Privileges
Write-Host \"[+] Hunting for AKIRA Indicators of Compromise...\" -ForegroundColor Cyan
# 1. Check for Scheduled Tasks created in the last 7 days (Persistence)
Write-Host \"\
[*] Checking for recently created Scheduled Tasks...\" -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} |
Select-Object TaskName, Date, Author, TaskPath, Action
# 2. Check for WinSCP process history (Exfil)
Write-Host \"\
[*] Checking for WinSCP execution artifacts...\" -ForegroundColor Yellow
$winscpPath = \"C:\\Users\\*\\AppData\\Local\\WinSCP*\"
if (Test-Path $winscpPath) {
Get-ChildItem -Path $winscpPath -Recurse -Filter \"WinSCP.ini\" -ErrorAction SilentlyContinue |
Select-Object FullName, LastWriteTime
} else {
Write-Host \"No WinSCP directory found.\" -ForegroundColor Gray
}
# 3. Audit Volume Shadow Copies (Deleted or Manipulated)
Write-Host \"\
[*] Checking Volume Shadow Copy health...\" -ForegroundColor Yellow
try {
vssadmin list shadows 2>&1 | Select-String \"Shadow Copy Volume\"
} catch {
Write-Host \"Could not query VSS. Check permissions.\" -ForegroundColor Red
}
Write-Host \"\
[+] Hunt Complete. Review output for anomalies.\" -ForegroundColor Green
---
Incident Response Priorities
-
T-Minus Detection Checklist:
- Check Point / Cisco FMC Logs: Immediate review for authentication anomalies or IKEv1 failures (CVE-2026-50751 / CVE-2026-20131).
- ScreenConnect Audit: Audit all ScreenConnect session logs for unexpected logins or path traversal attempts (CVE-2024-1708).
- PowerShell Logs: Look for
Invoke-Expressionor base64 encoded strings originating from non-admin accounts.
-
Critical Assets (Exfiltration Targets):
- Telecom: Customer PII, Call Detail Records (CDR), Network topology diagrams.
- Manufacturing: CAD drawings, Intellectual Property, ERP databases.
- Logistics: Shipment manifests, Supplier contracts, Pricing models.
-
Containment Actions (Urgency Order):
- Immediate: Isolate assets running vulnerable versions of Check Point / ScreenConnect. Reset credentials for service accounts used by these tools.
- High: Block outbound traffic to known exfil domains (MEGA, anonymizing file hosts) at the firewall.
- Medium: Disable the
PsExecandWMIservices on non-admin workstations via GPO if widespread lateral movement is suspected.
Hardening Recommendations
-
Immediate (24 Hours):
- Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-50751 (Check Point) immediately. If patching is impossible, disable the services or enforce strict MFA/VPN allow-listing.
- Disable RDP: Close RDP ports from the internet. AKIRA frequently targets exposed RDP.
-
Short-Term (2 Weeks):
- Network Segmentation: Ensure Telecom/OT environments are logically separated from IT admin networks to prevent lateral movement from a single compromised workstation.
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and remote access portals.
Related Resources
Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.