2025

Written by Tidal Cyber | Aug 12, 2025 3:32:30 PM

Akira Ransomware Campaigns

Threat Profiles

“Trending & Emerging Threats” weekly update: Akira Ransomware Campaigns
- Separate incident response teams (Arctic Wolf, Huntress, The DFIR Report) reported recent intrusions that led to Akira ransomware deployment. Distinct sets of initial access methods (SEO poisoning & loader installation, versus suspected zero-day exploit activity) were observed. This Threat Profile update offers a chance to revisit a few Threat-Led Defense themes we have covered previously:
  - Timely, synthesized TTP intel: We published Akira CTI content in August 2023, eight months before ATT&CK’s version of the object(s) released and nine months before a CISA advisory on the group. We layered our intelligence on top of the ATT&CK object(s) and have continued release updates (this week adding two related Campaigns, 13 Software, and myriad new Technique relationships).
  - Early warning: Although Akira hasn’t made headlines in recent months prior to this week, we continue to observe the group claiming significant numbers of attacks, and it has remained in our “Trending Ransomware” curated Threat Profile every month this year except one.
  - Defense in depth against exploit threats: Adversary behavior-focused security enables defense-in-depth against vulnerability exploit-based attacks (find a relevant Support Playbook here). It’s especially important to note our fresh Akira ransomware TTP intelligence is available in our knowledge base before a CVE has even been assigned to the reported SonicWall exploit activities.
  - Time-to-Coverage Assessment powered by AI: Recent Akira Campaign reporting was rich with technical details but in unstructured formats scattered throughout blogs. Processing the reports with Tidal Cyber AI powered rapid creation of knowledge base objects (which can then be immediately leveraged in Threat Profiles & Coverage Maps).