Akira ransomware access-acquisition model scales with $244.17m in claimed proceeds
Threat Actor Meta
Summary
Hide ▲
Show ▼
Akira ransomware has scaled its monetization to $244.17m in claimed proceeds since late September 2025, underscoring a fast-moving ransomware operation that relies on initial access brokers, stolen VPN credentials, and exploit abuse. The group’s ability to exfiltrate data in just over two hours in some incidents shows how its access-acquisition model compresses dwell time and increases extortion pressure. Its expansion into Nutanix AHV targeting and use of SonicWall CVE-2024-40766 further broadens the operational reach of the actor ecosystem.
Related Happenings
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware campaign accelerated by US-Iran tensions
CampaignAbout this happening: Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor Meta
First: 20.03.2026 18:31
Last: 20.03.2026 18:31
Sources 1
About this happening:
An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor MetaAbout this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
14.11.2025 13:13 2 articles · 6mo ago
Akira joint guidance highlights expanded intrusion tradecraft
Technical Analysis UpdateOn November 14, 2025, US government agencies and international partners issued joint guidance warning that Akira ransomware had claimed about $244.17m in proceeds since late September 2025 and had expanded its intrusion chain against affected organizations by abusing SonicWall CVE-2024-40766, SSH access, unpatched Veeam Backup and Replication servers, AnyDesk, LogMeIn, Impacket wmiexec.py, Ngrok, PowerShell, and WMIC; the guidance also noted first-time Nutanix AHV virtual machine disk encryption in June 2025, targeting of even patched SonicWall devices, and recommended remediation of known exploited vulnerabilities, phishing-resistant MFA, and offline backups.
Show sources
- Akira Ransomware Haul Surpasses $244M in Illicit Proceeds — www.infosecurity-magazine.com — 14.11.2025 13:13
- Akira Ransomware Haul Surpasses $244M in Illicit Proceeds — www.infosecurity-magazine.com — 14.11.2025 13:13