CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

First reported
Last updated
5 unique sources, 8 articles

Summary

Hide ▲

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use. In June 2025, Akira ransomware expanded its encryption capabilities to target Nutanix AHV virtual machines, encrypting .qcow2 disk files. Akira threat actors have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts for reconnaissance, lateral movement, and persistence. Akira has exfiltrated data in as little as two hours during some attacks. Akira has used tunneling tools such as Ngrok to establish encrypted command-and-control channels. Akira has exploited CVE-2023-27532 and CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to gain access and delete backups. Akira has been observed copying VMDK files from domain controller VMs to extract NTDS.dit files and SYSTEM hives for domain administrator access. Akira ransomware has claimed approximately $244.17m in ransomware proceeds since late September 2025. Akira threat actors have been observed exfiltrating data in just over two hours from initial access in some incidents. Akira ransomware operators have demonstrated a significant evolution in their tactics by encrypting Nutanix AHV virtual machine disk files for the first time in June 2025. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials, exploiting vulnerabilities, using initial access brokers (IABs), brute-forcing VPN endpoints, and password spraying techniques. Akira threat actors have been observed gaining initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. Akira threat actors leverage Impacket to execute the remote command wmiexec.py. Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems to evade detection. Akira threat actors create new user accounts and add them to the administrator group to establish a foothold in the environment. Akira ransomware operators use tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. Akira ransomware operators leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise. Akira ransomware operators use sophisticated hybrid encryption schemes to lock data, appending encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). In Q3 2025, Akira, Qilin, and INC Ransomware were the most prolific groups, accounting for 65% of cases. The use of valid credentials to access VPNs was the most common method of initial access, accounting for 48% of breaches. Akira consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies. Beazley tracked 11,775 new CVEs published by NIST in Q3 2025, with 38% more advisories issued regarding zero-day vulnerabilities.

Timeline

  1. 14.11.2025 00:32 2 articles · 6d ago

    Akira Expands to Target Nutanix AHV Virtual Machines

    In June 2025, Akira ransomware expanded its encryption capabilities to target Nutanix AHV virtual machines, encrypting .qcow2 disk files. Akira threat actors have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts for reconnaissance, lateral movement, and persistence. Akira has exfiltrated data in as little as two hours during some attacks. Akira has used tunneling tools such as Ngrok to establish encrypted command-and-control channels. Akira has exploited CVE-2023-27532 and CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to gain access and delete backups. Akira has been observed copying VMDK files from domain controller VMs to extract NTDS.dit files and SYSTEM hives for domain administrator access. Akira ransomware operators use sophisticated hybrid encryption schemes to lock data, appending encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users).

    Show sources
    Open in new tab
  2. 11.09.2025 13:33 6 articles · 2mo ago

    Akira Exploits SonicWall Vulnerabilities and Misconfigurations

    The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations. Akira ransomware exploits broad access permissions of the Default Users Group and default public access permissions for the Virtual Office Portal on SonicWall devices. SonicWall recommends updating to firmware version 7.3.0 or later, rotating account passwords, enforcing multi-factor authentication (MFA), and mitigating SSLVPN Default Groups risk. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials, exploiting vulnerabilities, using initial access brokers (IABs), brute-forcing VPN endpoints, and password spraying techniques. Akira threat actors have been observed gaining initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. Akira threat actors leverage Impacket to execute the remote command wmiexec.py. Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems to evade detection. Akira threat actors create new user accounts and add them to the administrator group to establish a foothold in the environment. Akira ransomware operators use tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. Akira ransomware operators leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise. In Q3 2025, Akira consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies.

    Show sources
    Open in new tab
  3. 28.08.2025 21:49 8 articles · 2mo ago

    Akira and Cl0p Lead Ransomware Attacks in 2025

    The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use. Akira ransomware has claimed approximately $244.17m in ransomware proceeds since late September 2025. Akira threat actors have been observed exfiltrating data in just over two hours from initial access in some incidents. In Q3 2025, Akira, Qilin, and INC Ransomware were the most prolific groups, accounting for 65% of cases. The use of valid credentials to access VPNs was the most common method of initial access, accounting for 48% of breaches. Akira consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AdaptixC2 Framework Weaponized by Russian Ransomware Groups

AdaptixC2, an open-source command-and-control (C2) framework, has been adopted by Russian ransomware groups for advanced attacks. The framework, initially released in August 2024, includes features such as encrypted communications, command execution, and credential managers. Threat actors associated with Fog and Akira ransomware, as well as an initial access broker, have leveraged AdaptixC2 in their operations. The framework's creator, RalfHacker, has ties to Russia's criminal underground, raising concerns about its misuse. AdaptixC2 has been used in fake help desk support call scams and through AI-generated PowerShell scripts.

Open in new tab

Microsoft reports surge in AI-driven cyber threats and defenses

Microsoft's Digital Defense Report 2025 highlights a dramatic escalation in AI-driven cyber attacks. Microsoft systems analyze over 100 trillion security signals daily, indicating the growing sophistication and volume of cyber threats. Adversaries are leveraging generative AI to automate phishing, scale social engineering, and discover vulnerabilities faster than humans can patch them. Autonomous malware adapts tactics in real-time to bypass security systems, and AI tools themselves are becoming high-value targets. Microsoft's AI-powered defenses have reduced response times from hours to seconds, but defenders must remain vigilant as AI increases the speed and impact of cyber operations. Identity compromise remains a dominant attack vector, with phishing and social engineering accounting for 28% of breaches. Multi-factor authentication (MFA) prevents over 99% of unauthorized access attempts, but adoption rates are uneven. The rise of infostealers has fueled credential-based intrusions. The United States accounted for 24.8% of all observed attacks between January and June 2025, followed by the United Kingdom, Israel, and Germany. Government agencies, IT providers, and research institutions were among the most frequently targeted sectors. Ransomware remains a primary threat, with over 40% of recent cases involving hybrid cloud components.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available.

Open in new tab