Call 24/7: +1 (800) 972-3282

Akira Ransomware: Complete Guide

Heloise Montini

Heloise Montini

Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.

Socials:

Laura Pompeu

Laura Pompeu

With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.

Socials:

Bogdan Glushko

Bogdan Glushko

CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.

Socials:

Recent Articles

Learn how SalvageData recovered 100% of a client's critical personal data in just one hour. Discover our efficient process and expertise in component-level recovery.

Quickest Mobile Data Recovery Case: 100% of Data Recovered in One Hour

In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat – we successfully retrieved 100% of a client...
This guide teaches you how to fix a corrupted database on PlayStation 4. It covers identifying corruption signs, step-by-step fixes, and prevention tips to keep your PS4 running smoothly.

How to fix a corrupted database on PS4 

A corrupted database on PS4 occurs when the system’s organized data collection becomes damaged or inaccessible. This can prevent you from access...
Black or Blank Screens in Windows

How to Troubleshoot Black or Blank Screens in Windows

Encountering a black or blank screen on your Windows computer can be frustrating and alarming. This issue can strike at various points—during startu...
Explore the evolution of LockBit ransomware, its impact on organizations, and effective strategies for prevention and recovery.

LockBit Ransomware: A Comprehensive Guide to the Most Prolific Cyber Threat

LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in recent years. Using a Ransomware-as-a-Service (RaaS) model, ...
This step-by-step guide explains how to use iPad Recovery Mode to fix software issues, update iOS, or reset your device. It applies to all iPad models.

How To Use iPad Recovery Mode

Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters severe software issues. It allows users to reinstall t...
How to Prevent Overwriting Files: Best Practices

How to Prevent Overwriting Files: Best Practices

Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding your files from acc...
Learn how to fix an external hard drive not showing up on Windows with our step-by-step guide. Troubleshoot connection issues, update drivers, and use built-in Windows tools to recover your data.

External Hard Drive Not Showing Up On Windows – Solved

It’s not uncommon to encounter issues where an external drive is not showing up on a Windows computer. This problem isn’t limited to Windo...
When restoring your iPhone from a backup, you may discover it is corrupted or incomplete. Then you might ask: Can a corrupted iPhone backup be fixed? Yes, it is often possible to fix a corrupted iPhone backup. While it can be frustrating to encounter a corrupt backup error, there are several steps you can take to resolve the issue and recover your data.

How to Fix a Corrupted iPhone Backup

When restoring your iPhone from a backup, you may discover it is corrupted or incomplete. Then you might ask: Can a corrupted iPhone backup be fixed? ...
Learn essential backup and remote wiping procedures to protect your data. Discover steps for secure backups and best practices for remote wiping lost or stolen devices.

Backup and Remote Wiping Procedures

Backup and remote wiping procedures are two critical components of data security and management for individuals and organizations. Together, they form...
Learn about common VMware issues, including outdated tools, network devices, memory limits, and snapshot management. Discover troubleshooting solutions to keep your virtual environment running smoothly.

Common VMware Issues and Troubleshooting Solutions

VMware is a leading virtualization and cloud computing software provider. Its core technology allows multiple virtual machines (VMs) to run on a singl...
Akira Ransomware: Complete Guide
Heloise Montini

Heloise Montini

Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.

Socials:

Laura Pompeu

Laura Pompeu

With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.

Socials:

Bogdan Glushko

Bogdan Glushko

CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.

Socials:

Updated Date: Fri Jul 14

I think there's an issue with my storage device, but I'm not sure Start a free evaluation →

I need help getting my data back right now Call now (800) 972-3282

First seen in March 2023, Akira is a ransomware that targets Windows and Linux systems. It has emerged fast and made several victims in organizations from different countries. Akira also targets different industry sectors.

It’s important to warn that this Akira does not have any known evidence to be related to another ransomware strain with the same name from 2017.

Experts found similarities between Akira and Conti ransomware, such as the file type exclusion list, directory exclusion list, and file tail structure. This suggests that the authors used leaked Conti ransomware source code.

In June 2023, Avast released a free Akira decryptor for Windows and is working on the Linux variant decryptor. However, it does not mean that Akira does not represent a threat to businesses and organizations worldwide. That’s because Akira ransomware actors threaten to leak the data they stole. Therefore, working on prevention is the best solution against Akira ransomware.

What kind of malware is Akira?

Akira ransomware is a Crypto ransomware that encrypts data and modifies the filenames of all affected files by appending the “.akira” extension. It is a new family of ransomware that was first used in cybercrime attacks in March 2023. Akira ransomware spreads within a corporate network and targets multiple devices once it gains access.

Before encrypting files, the ransomware avoids certain folders, including Recycle Bin, System Volume Information, Boot, ProgramData, and Windows, as well as specific Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.

The Windows and Linux versions of Akira ransomware are very similar in how they encrypt devices, but the Linux version uses the Crypto++ library instead of Windows CryptoAPI.

It exfiltrates victims’ sensitive and critical data before encrypting it and then threatening to leak it unless they pay the ransom. This tactic known as double extortion is a common hacker profit method.

Akira uses a combination of AES and RSA encryption to lock victims’ files. The Advanced Encryption Standard (AES) is a strong encryption used for cybersecurity as well. The Rivest–Shamir–Adleman (RSA) encryption algorithm is an asymmetric encryption algorithm.

Everything we know about Akira ransomware

This list contains the basic information about the new ransomware strain known as Akira.

Confirmed Name

  • Akira virus

Threat Type

  • Ransomware
  • Crypto Virus
  • Files locker
  • Double extortion

Encrypted Files Extension

  • .akira

Ransom Demanding Message

  • akira_readme.txt

Detection Names

  • Avast Win64:RansomX-gen [Ransom]
  • AVG Win64:RansomX-gen [Ransom]
  • Emsisoft Gen:Variant.Midie.124870 (B)
  • Kaspersky Trojan-Ransom.Win64.Akira.a
  • Malwarebytes Malware.AI.2152310429
  • Microsoft Ransom:Win64/Akira.GID!MTB

Ransomware family, type & variant

  • Akira ransomware is based on the leaked source code of Conti ransomware
  • This is not the same Akira ransomware from 2017

Distribution methods

  • Trojans
  • Weak credentials
  • Drive-by downloads attacks
  • Phishing emails
  • Malicious websites

Consequences

  • Data exfiltration
  • File encryption
  • Ransomware spreads through lateral movement

Is There a Free Decryptor Available?

Yes. Although Akira is a recent malware (first seen in March 2023), Avast released in June 2023 a free decryption key for 64-bit and 32-bit Windows systems.

Avast highly recommends using the 64-bit decryptor, as the ransomware is also 64-bit. However, if your system cannot support that, they’ve also released a 32-bit decryptor.

Akira ransomware symptoms

  • Encrypted data with the .akira extension added to the filenames of all affected files

Encrypted data with the .akira extension added to the filenames of all affected files

  • A ransom note appears on the desktop and in every folder, explaining with a condescending tone that the easiest path back to the company functioning normally is to pay the ransom.
  • The double-extortion technique where the attackers exfiltrate and encrypt the victim’s data and threaten to sell or leak the stolen data on the dark web if the ransom is not paid
  • Infiltration of corporate networks and lateral spread to other devices
  • Disguised as legitimate content, which results in victims unknowingly executing the malware themselves

What is in Akira’s ransom note

The Akira ransom note has a condescending tone and explains the steps victims must take in order to retrieve their data. It also has a unique password for each victim to use to negotiate with the hacker group. The note states that the easiest path back to the company functioning normally is to pay the ransom.

Do not pay the ransom or negotiate with the threat actors. Contact SalvageData experts immediately to restore your files and local authorities to report the ransomware.

akira ransom note content: Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog -. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - hxxps://www.torproject.org/download/. 2. Paste this link - -. 3. Use this code - - - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

How does Akira infect a computer or network

Akira ransomware is a dangerous malware that can infect a computer or network in several ways, including:

  • Spam and phishing emails that pretend to be legit businesses. Scammers send emails that appear to be from legitimate businesses, such as PayPal, UPS, FedEx, and others. These emails contain links or attachments that put your data and network at risk. One-click on a link or one download of an attachment can lock everyone out of your network.

example of phishing email

  • Trojans. A trojan is a type of software that promises to perform one task but executes a different one, mostly malicious. They take the form of fake programs, attachments, and other types of files, deceiving victims.
  • Infiltrated network. Ransomware breaches a corporate network and spreads laterally to other devices. Before encrypting files, the ransomware avoids certain folders and specific Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.
  • Malicious websites. Infected websites automatically download malware onto the victim’s computer or network.
  • Cracked software installations. Hackers use obfuscator technology in combination with other methods to infect the device without the user being aware. Cracked software installations allow malicious files to enter the system.

How does Akira ransomware work

Once the Akira ransomware gains access to a computer or network, it will encrypt the victim’s files using sophisticated encryption algorithms. The victim’s files will be appended with the .akira extension. The ransomware breaches a corporate network and spreads laterally to other devices.

Before encrypting the data, Akira ransomware will spread across the network using Remote Desktop Protocol (RDP). This is why it’s crucial to segment the network and block access from users to data they don’t need to perform their tasks. This will prevent threats from spreading via lateral movement.

Akira also deletes Shadow Copies and backups from the system.

The Akira ransomware attack process involves two main stages: exfiltration and encryption. Here is a breakdown of the process:

Exfiltration

Before triggering the Akira ransomware’s encryption routine and posting a ransom demand, the cybercriminals exfiltrate data from hacked corporate networks. Akira ransomware typically utilizes the machine’s own resources to carry out data exfiltration, thereby imposing a heavy load on the system’s resources.

After the attackers exfiltrate the victim’s data and threaten to sell or leak the stolen data on the dark web if the ransom is not paid.

Their leak website has a retro design that reminds the 1980s green screen consoles and possibly takes its name from the popular 1988 anime film of the same name.

Akira leak website has a retro design that reminds the 1980s green screen consoles and possibly takes its name from the popular 1988 anime film of the same name

Encryption

Before encrypting files, the ransomware avoids certain folders, including Recycle Bin, System Volume Information, Boot, ProgramData, and Windows, as well as specific Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.

Akira ransomware encrypts the victim’s files using sophisticated encryption algorithms, such as AES-256. Once encryption is complete, the victim’s files are locked and can’t be accessed.

How to handle an Akira ransomware attack

The first step to recover from the Akira attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

  • Screenshots of the ransom note
  • Communications with Akira actors (if you have them)
  • A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it’s and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, then they will take care of everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Akira Ransomware IOCs

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Windows versions

  • 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
  • 5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5
  • 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
  • 7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
  • 8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50
  • 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
  • 9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163
  • d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959
  • 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

Linux version

  • 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the Akira ransomware. Also, these services can patch your system, preventing new attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent the Akira ransomware from attacking your network again.

Also, we offer a digital forensic report that you can use for further investigation and to understand how the cyber attack happened.

Contact our experts 24/7 for emergency recovery service.

Prevent the Akira ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Akira ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

  • Antivirus and anti-malware
  • Use cybersecurity solutions
  • Use strong passwords
  • Updated software
  • Updated operating system (OS)
  • Firewalls
  • Have a recovery plan in hand (See how to create a data recovery plan with our in-depth guide)
  • Schedule regular backups
  • Don’t open an email attachment from an unknown source
  • Do not download files from suspicious websites
  • Don’t click on ads unless you’re sure it’s safe
  • Only access websites from trustworthy sources
Share

Related Services

Ransomware Recovery

Ransomware Recovery

We specialize in identifying and recovering data affected by ransomware attacks, ensuring rapid response and secure restoration of your systems when you need it most.

Backup

Backup

We help recover lost data from backup systems, ensuring that critical information is restored swiftly and securely to minimize operational downtime.

Data Recovery

Data Recovery

We offer comprehensive data recovery solutions with a 97% success rate and a "no data, no charge" guarantee, ensuring secure and efficient recovery for all types of data loss scenarios.

Copyright 2003-2024 © SALVAGEDATA. All rights reserved.
All other brands, products, or service names are or may be trademarks or service marks of their respective owners.
Privacy Policy | Terms of Service
8559441095 8559441096 8559441097 8559441098 8559441099 8669930814 8669930815 8669930816 8669930817 8553994822 8559441095 8559441096 8559441097 8559441098 8559441099