Akira (also tracked as Storm-1567 [Microsoft, earlier identifier], Punk Spider, and MITRE ATT&CK G1024) is one of the highest-volume ransomware operations of the 2023-2024 period, a financially- motivated organized cyber-criminal cluster operating predominantly from Russia, Ukraine, and adjacent post-Soviet states emerging in March 2023. The cluster operates a Conti-codebase-leak-derived ransomware per Sophos technical analysis demonstrating substantial code similarity between Akira ransomware and the May 2022 ContiLeaks-leaked Conti source code, supporting the analytical framing that Akira represents a Conti-derived operation operating Conti-codebase-derived tooling. Modern vendor consensus treats Akira as a Conti-derived but operationally independent cluster within the broader Russia-speaking organized cybercrime ecosystem.
The cluster has the most operationally significant FBI public attribution among newer ransomware operations grounded in two coordinated international advisory events: First, FBI + CISA + Europol + Netherlands National Cyber Security Centre joint cybersecurity advisory AA24-109A (April 18, 2024) documenting Akira responsibility for compromise of 250+ organizations and approximately $42 million USD in ransom collection by April 2024. The four-government joint attribution represented one of the most operationally consequential international counter-ransomware coordinated formal-attribution events of 2024. Second, FBI updated Akira tracking estimates in June 2024 documented approximately $250 million USD in cumulative ransom collection across the cluster's operational lifespan, positioning Akira among the highest-revenue ransomware operations of the 2023-2024 period alongside LockBit, Black Basta, and ALPHV / BlackCat.
The substantial revenue growth between April 2024 ($42M USD) and June 2024 ($250M USD) estimates reflects either improved FBI visibility into Akira ransom collection or actual continued operational tempo growth, likely combination of both. The cluster operates two operationally distinctive tradecraft signatures that distinguish Akira from peer ransomware operations: First, Cisco ASA / AnyConnect VPN credential targeting. Akira operates extensive targeting of Cisco ASA (Adaptive Security Appliance) and Cisco AnyConnect SSL VPN credential authentication infrastructure, specifically MFA-less VPN accounts at target organizations.
The tradecraft exploits the recurring defender pattern of Cisco ASA / AnyConnect deployments without multi- factor authentication on VPN accounts (despite Cisco's recommendation for MFA), with credential-stuffing attacks against VPN authentication endpoints using credentials harvested from underground marketplaces and infostealer-malware deployments. Cisco Talos published detailed August 2023 analysis documenting the tradecraft. Subsequent SonicWall and Fortinet VPN credential targeting expanded the tradecraft beyond Cisco infrastructure.
The MFA-less-VPN-account targeting tradecraft represents operationally significant defender threat-modeling guidance, organizations should enforce MFA on all VPN authentication endpoints. Second, VMware ESXi hypervisor targeting. Akira operates Linux + ESXi ransomware variants alongside the Windows ransomware variant.
The tradecraft exploits the operational pattern where virtualization-dependent enterprise environments host substantial business-critical workloads on small numbers of ESXi hypervisor hosts, compromise of an ESXi hypervisor host enables encryption of all virtual machines hosted on that hypervisor in a single ransomware deployment operation. ESXi-targeting ransomware represents disproportionately high operational impact relative to deployment effort. The tradecraft is consistent with broader contemporary cybercrime-cluster patterns (LockBit, Black Basta, ALPHV / BlackCat, Royal / BlackSuit all operate ESXi ransomware variants).
A distinctive cluster operational signature is the retro- aesthetic green-text leak site with 1980s-era computer terminal styling, operationally novel branding distinct from peer ransomware leak sites. The retro aesthetic gave Sophos' earliest detailed cluster disclosure (May 9, 2023) its memorable title "Akira Ransomware is Bringin' 1988 Back." The branding choice reflects the cluster's apparent recognition of public-facing operational positioning as a marketing dimension. In March 2024 Akira operators released Megazord, a substantially-rewritten Rust-language ransomware variant consistent with broader contemporary cybercrime-cluster patterns following the ALPHV / BlackCat Rust-language ransomware introduction.
Megazord operates alongside the original Akira ransomware variant. High-profile documented Akira victims include Nissan (Australia and New Zealand subsidiaries, December 2023), Yamaha (multiple subsidiaries November 2023), Stanford University (department- level compromise 2023), Tietoevry (Finland IT services provider, January 2024 affecting Swedish public-sector customers), Lush Cosmetics (January 2024), Hitachi Energy (March 2024), the City of Wichita Kansas (May 2024), and hundreds of additional manufacturing, healthcare, education, and government-sector targets. A handful of operational notes: First, the cluster represents one of the most operationally consequential newer ransomware operations of the 2023-2024 period.
The $250M USD cumulative ransom collection estimate positions Akira among the highest-revenue ransomware operations alongside the major LockBit / Black Basta / ALPHV / BlackCat / Cl0p / Royal / BlackSuit references.
Second, the cluster's analytical profile differs from peer contemporary cybercrime clusters in several ways: operational origin (Conti-codebase-derived emerging March 2023 vs LockBit's September 2019 emergence, Black Basta's April 2022 emergence as Conti successor, ALPHV / BlackCat's November 2021 emergence as DarkSide
- BlackMatter.
- ALPHV lineage successor, Cl0p's February 2019 emergence from TA505 lineage), tradecraft emphasis (MFA-less-VPN-credential-targeting + ESXi-targeting), and operational branding (distinctive retro-aesthetic leak site). The cluster represents the central reference for understanding Conti-codebase-leak-derived ransomware operations that emerged following the May 2022 Conti source code leak. Third, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for Akira administrators, consistent with the broader pattern of absence of similar named-individual-attribution for Cl0p, ALPHV / BlackCat, Black Basta, and several other contemporary cybercrime clusters. Only LockBit (Khoroshev), Evil Corp (Yakubets / Turashev), and FIN7 (Dunaev / Hladyr / Kolpakov / Witte) have received named-Russian-national-tier formal attribution among the major contemporary cybercrime clusters covered in this corpus. Fourth, the cluster's MFA-less-VPN-credential-targeting tradecraft provides operationally significant defender guidance. The sustained Akira success against MFA-less VPN accounts at target organizations demonstrates the operational vulnerability of VPN authentication infrastructure without multi-factor authentication, an exposure category that traditional defender patch-management workflows do not address (the underlying VPN software is not vulnerable; the deployment without MFA is the vulnerability). Defender threat-modeling for ransomware operations should treat MFA-on-all-VPN-endpoints as a primary control requirement.