We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win64/Akira!rfn
Aliases: No associated aliases
Summary
Ransom:Win64/Akira!rfn is the detection name for a 64-bit Windows version of the Akira ransomware, a persistent threat active since March 2023. This malware operates on a Ransomware-as-a-Service (RaaS) model, which allows multiple threat actors to conduct widespread attacks. Its primary method is a double-extortion strategy: threat actors first exfiltrate sensitive data from compromised networks and then deploy a payload to encrypt files on Windows devices.
This operation poses a significant threat to enterprise environments. Threat actors gain initial access to networks by exploiting known vulnerabilities in VPN appliances. They also use stolen credentials for Remote Desktop Protocol (RDP) and conduct sophisticated phishing campaigns. After infiltration, they move to steal data before launching the file-encryption routine. They threaten to publish the stolen information on their dark web leak site to pressure victims into paying the ransom, making data recovery and breach containment critical priorities for affected organizations.
- Disconnect the infected devices from the network immediately to prevent lateral movement and the spread of the ransomware. Do not shut down the machines, as this could compromise volatile data in memory that might be useful for forensic analysis. Preserve the ransom note and any encrypted files as evidence.
- Confirm the ransomware variant by the .akira file extension and the akira_readme.txt note.
- It is strongly advice against payment, as it does not guarantee data return and funds further criminal activity. Check for available, unaffected offline backups to restore your device.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
