Are you Infected with Akira Ransomware? Don’t Panic! We are here to assist you

Akira operators have escalated their tactics. Recent incidents confirm the group is now exploiting CVE-2024-40766 (SonicWall) and CVE-2024-40711 (Veeam) to dismantle backups before encryption. If you are infected with the new Rust-based “Megazord” variant, standard public decryptors will not work.

Unlike legacy recovery shops using outdated 2023 tools, we specialize in the 2025 Rust-based Akira variants that bypass traditional decryptors. We provide the legal and forensic documentation required for UK insurance and regulatory compliance.

Start a Free 24/7 Assessment NowImmediate help is available to contain the breach and secure your data.

Contact us now

Why Trust Our Recovery Team?

We are a UK-based certified ransomware recovery firm with a dedicated team of malware analysts and reverse engineers.

Compliance Ready: Fully compliant with GDPR, HIPAA, and CCPA regulations. We execute NDAs immediately to protect your corporate privacy.

Sanction-Safe Recovery: We provide a full OFAC Compliance Report, ensuring all recovery efforts follow international law and do not fund sanctioned groups like ‘Gold Sahara’.

Cross-Platform Expertise: Proven track record in recovering Windows, Linux, VMware ESXi, and Nutanix AHV environments.

We provide a full OFAC Compliance Report. We ensure that any recovery efforts do not violate international sanctions against ‘Gold Sahara’ or ‘Howling Scorpius’ (the groups behind Akira)

Get a FREE Consultation Now – Don’t Wait Before It Causes More Damage!

How to identify if Akira ransomware infected your system

If you’re unable to open your files, notice an unusual file extension, or find a message demanding payment to regain access, Akira ransomware might be the cause.

Files encrypted by Akira typically have their extensions changed to “.akira“.

Signs of a Akira Ransomware Attack

  • Akira Ransomware will put a text file named “akira_readme.txt” in each encrypted folder.
  • The names of your files are changed to include the .akira extension.
  • Your antivirus software is not working or is deactivated.
  • Your CPU usage is close to 100%, even though you are not using any applications.
  • Your PC seems to be running more slowly than usual.
  • Your hard disk is reading and writing at 100% capacity in the background, even when you are not using any applications.
Get our assistance

Why Trust Us?

Our dedicated team consists of seasoned malware analysts with over 3 years of experience in reverse engineering and ransomware recovery. With a zero-ransom philosophy and experience working on cases across North America and Europe, we provide confidential, expert assistance to help you recover your data safely and legally.

Our Incident Response Case Studies:

Understanding

Akira Ransomware

Beyond the immediate encryption identified by the ‘.akira’ extension, it’s vital to understand the full scope of an Akira attack. This group, active since 2023, employs a devastating ‘double extortion’ strategy. This means that prior to encrypting your files, they typically exfiltrate significant amounts of your sensitive corporate data, threatening its public release to coerce payment. This dual threat is a key characteristic of their aggressive approach towards businesses worldwide.

FeatureAkira v1 (C++)Akira v2 / Megazord (Rust)
Primary Extension.akira.akiranew or .aki
Encryption AlgorithmChaCha20 / RSA-4096Rust-based Optimized Encryptor
Recovery DifficultyPublic decryptors may work.No public decryptors; requires manual forensic reconstruction.
Target InfrastructureWindows / ESXiNutanix AHV & VMWare vCenter


Technical Characteristics: The 2025 “STONETOP” Evolution

As of December 2025, the Akira threat actor (identified as Gold Sahara) has revamped their deployment toolkit. They no longer rely solely on simple PowerShell scripts. To recover successfully, you must address these three new technical layers:

FeatureLegacy Akira (2023)Modern Akira / STONETOP (2025)
Loader ToolPowerShell / CMDSTONETOP Loader
Encryption LogicFull File EncryptionIntermittent “Checkerboard” Logic
Backdoor ToolAnyDesk / Cobalt StrikeCloudflared / STONETOP Persistence
Hypervisor FocusVMware ESXiNutanix AHV & vCenter 8.x

1. STONETOP Deployment Framework

The most significant update in late 2025 is the use of STONETOP. This is a custom-coded “loader” used to deliver the final Akira payload.

  • What it does: STONETOP bypasses modern EDR (Endpoint Detection and Response) by using “Bring Your Own Vulnerable Driver” (BYOVD) tactics.
  • Recovery Implication: If you only decrypt files and don’t remove the STONETOP remnants, the attackers retain a “backdoor” to re-encrypt your system within 72 hours.

2. Megazord “Runtime Controls” (Rust Engine)

The newer Rust-based variants (often called Megazord) now include advanced runtime parameters that legacy decryptors cannot handle:

  • Partial Encryption logic: It can be toggled to encrypt only the first 10% of a file or use a “checkerboard” pattern for speed.
  • Automated “Shadow” Deletion: It uses specialized runtime controls to specifically hunt for and purge Nutanix Volume Group snapshots and Veeam metadata.
  • Process Termination: It actively kills over 400 specific database and backup processes (including SQL, Oracle, and SAP) to ensure no file is locked during the encryption cycle.

3. The “Shadow Hunt” Phase

In 2025, Akira has added a “Shadow Hunt” phase to their post-exploitation. They utilize the CVE-2024-40711 (Veeam) exploit to gain administrative control of the backup server, where they then inject STONETOP to wipe all air-gapped or immutable cloud repositories.

Legacy Technical Characteristics of Akira:

Akira ransomware is a sophisticated and aggressive threat.

  • Encryption: It uses strong hybrid encryption (e.g., ChaCha20/RSA-4096) and often performs partial file encryption for speed. Files are renamed with the .akira extension, and a minimalist akira_readme.txt note is dropped.
  • Targeting: It’s cross-platform, affecting both Windows and Linux servers, including VMware ESXi. It targets entire networks, not just individual devices.
  • Initial Access: Common entry points include exploiting vulnerabilities in VPN services (like Cisco ASA), exposed RDP, phishing, and stolen credentials.
  • Post-Exploitation: Operators move laterally, dump credentials (e.g., LSASS), use legitimate tools (LOLBins), and disable security software to evade detection.
  • Ransom Demands: Ransoms are typically high, ranging from thousands to millions, and negotiation occurs via a TOR (.onion) site.
  • Variants: While initially C++, newer variants written in Rust (sometimes called “Megazord”) have been observed, showcasing its evolving nature.
Rapid Encryption

Akira Ransomware is one of the fastest ransomware encryption speeds, making attacks harder to stop.

Double Extortion Tactics

Steals sensitive data before encrypting files, threatening public leaks.

Learn More

Ransomware-as-a-Service (RaaS)

Cybercriminals can easily distribute Akira, making it a global threat.

Learn More

Spreads Through Networks

Targets entire IT infrastructures, not just single devices.

What to do if your data is encrypted by Akira?

Request 24/7 Ransomware Recovery Help

Get expert guidance to assess, contain, and recover safely.

Isolate Infected Systems

Disconnect infected devices to stop the spread. Be careful while performing self-recovery

Preserve Evidence Immediately

Keep ransom notes & logs. Do not restart or modify anything.

Hit by ransomware?

If you face difficulties with free decryptors. You can contact us to get help for Akira ransomware.

Contact our experts now


AKIRA RANSOMWARE STATISTICS & FACTS

RANSOM AMOUNTS

Akira ransomware often targets large companies or organizations using complex attacks.

The Akira ransom demands range from $100,000 into the millions of dollars. Ransoms are usually paid in Bitcoin. Quick-buy methods of purchasing Bitcoin with PayPal or credit cards do not work for this size of ransom payment and it is important to obtain expert advise to ensure that a payment of this size is legally compliant.

AVERAGE LENGTH

Extended downtime often results from the complexity of negotiating large ransom demands and the logistical requirements for secure and compliant payment processing.

For most ransomware victims, downtime is the most expensive part of the incident. It can also cause significant reputational damage.

CASE OUTCOMES

There are multiple gangs operating Akira ransomware. Most of them reliably deliver working decryptors upon receipt of payment, but it’s important to ensure that you are dealing with a known gang, because some ransomware gangs are known to collect payment and disappear without providing decryption keys.

The most common method used by Akira ransomware to infect victims is phishing, RDP exploits, 0-Day Vulnerability Exploitation, Cisco VPN Vulnerability Exploitations.

NameAkira / Akira Ransomware
Danger LevelVery High (Uses strong hybrid encryption & employs double extortion)
Release date2023
Affected SystemsWindows/Linux
File Extensions.akira, .aki, .akiranew
Ransom Noteakira_readme.txt
Contact method/emailOnly via a hidden service TOR website
Known scammersScam Risk: Primary group usually delivers decryptors; however, always verify contacts and be wary of third-party offers. Some ransomware gangs are known to disappear after payment (see ‘Case Outcomes’).”

A typical Akira ransomware note. Example Ransom note given below varies victim to victim

Akira_Readme.Txt

Hi friends,

Whatever who you are and what your title is if you’re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups – virtual, physical – everything that we managed to reach – are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.

Well, for now let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue. We’re fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:

  1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.
  2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them – in this case we won’t be able to help.
  3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we’ve managed to detect and used in order to get into, identify backup solutions and upload your data.
  4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes – generally speaking, everything that has a value on the darkmarket – to multiple threat actors at ones. Then all of this will be published in our blog – https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.
  5. We’re more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.

If you’re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

  1. Install TOR Browser to get access to our chat room – https://www.torproject.org/download/.
  2. Paste this link – hxxps://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/9848450766-HEBKP
  3. Use this code – – to log into our chat.

Keep in mind that the faster you will get in touch, the less damage we cause.

akira_readme.txt screenshot

Akira Ransomware Nutanix AHV Recovery

For years, Nutanix users felt relatively shielded from the “ESXi-fication” of ransomware, where groups like LockBit and BlackBasta focused almost exclusively on VMware. However, the tide has turned. Recent intelligence from CISA and the FBI confirms that the Akira ransomware group has officially expanded its arsenal to include custom tools designed to encrypt Nutanix Acropolis Hypervisor (AHV) environments.

This shift marks a significant evolution in the threat landscape, as Akira becomes the first major player to systematically target hyperconverged infrastructure (HCI) beyond the traditional big players.

Anatomy of an Akira Attack on Nutanix

Akira’s approach is methodical. They don’t just “hit” the hypervisor; they dismantle the security layers surrounding it first.

  • The Infiltration: Attackers typically enter through unpatched VPNs (Cisco/SonicWall) or via vulnerabilities in backup software like Veeam (specifically CVE-2024-40711).
  • The “Prism” Pivot: Once inside the network, Akira moves laterally to compromise Nutanix Prism. By gaining administrative control of the management plane, they can bypass VM-level security.
  • The Shutdown: To ensure successful encryption, the group has been observed using Prism commands to power down Virtual Machines. This releases “file locks” on the virtual disks, allowing their Rust-based encryptor to lock the data without interference.
  • The Double Extortion: Before the encryption begins, they use tools like rclone to exfiltrate sensitive data, threatening to leak it on their “Akira Leaks” site if the ransom isn’t paid.

How to Protect Your Nutanix Environment

If you are running AHV, your “set it and forget it” security posture needs an update. Here are the non-negotiables:

  1. Isolate the Management Plane: Ensure Nutanix Prism is restricted to a dedicated management VLAN and is never accessible via the public internet.
  2. Enforce Phishing-Resistant MFA: Password-only access for IT admins is an open door. Require hardware keys or certificate-based authentication for all infrastructure access.
  3. Deploy Microsegmentation: Use Nutanix Flow to create “Zero Trust” boundaries. Even if a single VM is compromised, microsegmentation can prevent the attacker from reaching your AHV hosts.
  4. Immutable Backups are Mandatory: Akira actively seeks out and deletes backups. Utilize WORM (Write Once, Read Many) storage or air-gapped offsite copies to ensure you have a “clean” restore point.

Pro Tip: Monitor your environment for the unauthorized installation of remote access tools like AnyDesk or Cloudflare Tunnel (Cloudflared). Akira frequently uses these to maintain persistence even after you think you’ve kicked them out.

How We Recover Nutanix AHV Environments

Our recovery protocol for Nutanix is unique and focused on data integrity:

  • VDisk Header Repair: We utilize proprietary tools to repair the headers of encrypted Nutanix virtual disks, often allowing for partial or full recovery without a decryptor.
  • Container Level Isolation: We help you use Nutanix Flow to create “Zero Trust” boundaries, ensuring the attacker cannot reach your AHV hosts even if they have credentials for a single VM.
  • Immutable Snapshot Verification: We audit your Nutanix snapshots to ensure the “Shadow Hunt” didn’t delete your local protection before the attack began.

Public Decryption Tools for Akira Ransomware

There are several akira ransomware decryptors available for now. As you know, akira ransomware is active since 2023. They use several variants and they are updating their encryptors gradually. You can download several public decryptors from the links given below.

get help now

Avast Decryptor for Akira Ransomware (Windows and ESXi Servers)for Mid 2023 Version:

avast akira decryptor gui

Download Link: https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/

Steps to Use the Avast Akira Decryptor

  1. Download the Decryptor: You would have needed to download the specific Akira decryptor from Avast’s official website or the No More Ransom Project website.
  2. Run as Administrator: It was generally recommended to run the decryptor executable file as an administrator on your Windows system.
  3. Follow the Wizard: The tool likely presented a wizard interface to guide you through the decryption process.
  4. Select Encrypted Files/Folders: You would have needed to specify the locations on your computer where the Akira-encrypted files were stored.
  5. Provide the File Pair: This was a crucial step. You would have been prompted to provide the path to an original, unencrypted file and its corresponding encrypted version.
  6. Start the Analysis/Password Cracking: Once you provided the file pair, the decryptor would analyze them and attempt to find the decryption key. This process could take some time, potentially a few seconds to longer depending on the complexity.
  7. Decrypt Your Files: If the tool successfully found the key, you would then be able to start the decryption process for all the encrypted files you selected.
  8. Verify Decryption: After the process was complete, you would need to check if your files were successfully decrypted and accessible

Akira Decryptor for ESXI Servers (Linux only) Version :

Download link: https://github.com/yohanes/akira-bruteforce

Steps to Use Akira Decryptor by Yohanes

This is a technical process and requires a strong understanding of Linux command-line, Python, and potentially GPU computing.

  1. Access the GitHub Repository: Locate Yohanes Nugroho’s GitHub repository for the Akira Linux V3 decryptor. The specific link was not directly provided in the search results, but searching GitHub for “Akira decryptor Linux GPU” or similar terms should help you find it.  
  2. Understand the Requirements and Instructions: Carefully read the documentation and instructions provided in the GitHub repository. This will outline the necessary software, dependencies (like Python and potentially CUDA for GPU acceleration), and how to prepare your system.
  3. Gather Necessary Data:
    • Obtain the timestamps of your encrypted files. Linux tools like ls -l can provide modification times, but you might need more precise timestamps if available.
    • Identify a known plaintext and its corresponding ciphertext (encrypted version). The larger the file, the better.
    • Determine your server’s timing offsets: The repository likely provides tools or scripts to help you test your server’s timing to narrow down the range of nanosecond offsets to brute-force.
  4. Set Up Your Environment:
    • Ensure you have Python installed on your Linux system.
    • Install any required libraries or dependencies mentioned in the repository (e.g., for GPU processing).
    • If using GPUs, ensure you have the necessary drivers installed (e.g., NVIDIA drivers for CUDA).
  5. Configure the Decryption Tool: You will likely need to configure the provided scripts with the paths to your encrypted files, the plaintext/ciphertext pair, and potentially the determined timing offsets.
  6. Run the Brute-Force Script: Execute the Python script designed to brute-force the KCipher2 and ChaCha8 encryption keys using your CPU or (preferably) your GPUs. This process can take a significant amount of time, ranging from days to weeks depending on the GPU power available and the range of timestamps to check.
  7. Run the Decryptor: Once the script successfully finds the decryption keys, you should be able to use another script in the repository (or modify the brute-force script) to decrypt your Akira-encrypted files using the found keys.

Others

You can look more available decryptors for this ransomware from the link given below.

Akira Decryptors by Nomoreransom: https://www.nomoreransom.org/en/decryption-tools.html

Contact us for help

The Critical Role of Backups Against Akira

Akira operators, like most modern ransomware groups, actively hunt for and attempt to delete or encrypt backups to increase pressure on victims to pay. This makes a robust backup strategy absolutely essential:

  • Follow the 3-2-1 Rule: Maintain at least 3 copies of your important data, on 2 different types of media, with 1 copy stored offsite or offline.
  • Ensure Offline/Immutable Backups: Your most critical defense is having backups that are inaccessible from the main network. This could be:
    • Offline Backups: Physically disconnected storage (e.g., rotated external hard drives, tapes).
    • Immutable Backups: Cloud storage or appliances configured so backups cannot be altered or deleted for a set period, even by an administrator account (which could be compromised).
    • Air-Gapped Backups: Systems that are only connected to the network for brief periods to perform the backup.
  • Test Your Backups Regularly: Backups are useless if they can’t be restored. Regularly test your restore process to ensure data integrity and that the process works as expected. Don’t wait for a disaster to discover your backups are corrupted or incomplete.

Reporting an Akira Attack & Legal Considerations

Dealing with a ransomware attack goes beyond technical recovery. There are important reporting steps and potential legal obligations:

  • Report to Law Enforcement: File a report with your national cybercrime authority (e.g., the FBI’s Internet Crime Complaint Center (IC3) in the US, Action Fraud in the UK, or your country’s equivalent).
    • Why? It helps authorities track ransomware groups, potentially links your case to others, provides an official record, and in some rare instances, law enforcement might recover decryption keys later.
  • Notify Relevant Agencies: Depending on your location and industry, you may need to report the incident to specific agencies like CISA (Cybersecurity and Infrastructure Security Agency) in the US.
  • Assess Data Breach Obligations: Crucially, since Akira performs data theft (double extortion), determine if sensitive data was accessed or stolen (Personal Identifiable Information – PII, Protected Health Information – PHI, financial data, intellectual property).
    • If sensitive data was compromised, you may have legal obligations under regulations like GDPR, HIPAA, CCPA, etc., to notify affected individuals and regulatory bodies.
    • Consult Legal Counsel: It is highly recommended to engage legal counsel specializing in cybersecurity and data privacy to understand your specific obligations based on your jurisdiction and the nature of the potentially stolen data.

Cyber Insurance and Akira Ransomware

If your organization has a cyber insurance policy:

  • Notify Your Insurer Immediately: Most policies have strict notification deadlines. Contact your insurer or broker as soon as possible after discovering the incident. Failure to do so could jeopardize your coverage.
  • Understand Policy Requirements: Be aware that your policy likely dictates specific steps you must take. Often, insurers require you to use pre-approved (“panel”) vendors for incident response, forensic analysis, legal counsel, and ransom negotiation/payment. Using non-approved vendors might not be covered.

Beyond Encryption: The Threat of Akira’s Data Leaks

Remember, Akira employs double extortion. Paying the ransom to decrypt files does not guarantee they won’t leak your stolen data. The consequences of a data leak can be severe and long-lasting, including:

  • Regulatory Fines: Significant penalties under data protection laws (like GDPR).
  • Lawsuits: Legal action from customers, employees, or partners whose data was exposed.
  • Reputational Damage: Loss of customer trust and public goodwill.
  • Competitive Disadvantage: Exposure of trade secrets, intellectual property, or strategic plans.

After Akira: Securing Your Network Post-Recovery

Successfully recovering your data, whether through backups or decryption, isn’t the final step. You need to ensure Akira (or another threat) can’t easily get back in:

  • Conduct a Root Cause Analysis: Work with incident response professionals to determine exactly how the attackers gained initial access, how they moved through your network, and what vulnerabilities were exploited. This is critical to prevent recurrence.
  • Securely Rebuild Systems: Affected systems should ideally be rebuilt from clean backups or known-good images, not just decrypted. Ensure they are fully patched and hardened before reconnecting to the network.
  • Reset Credentials: Change passwords for all accounts, especially administrator and service accounts, that could potentially have been compromised. Implement MFA wherever possible if not already done.
  • Implement Lessons Learned: Use the findings from the incident response and root cause analysis to strengthen your security posture. This might involve deploying new tools, changing security policies, or enhancing user training.
Can you Decrypt my Akira Ransomware Files?

Akira is a relatively new strain of ransomware, and to the best of our knowledge, publicly available decryptors may not cover all its evolving variants. Fortunately, Our reverse engineering experts have developed a suite of custom tools and proprietary techniques that have proven effective against numerous variants of Akira ransomware. Because each case is unique, we begin with a free assessment to determine the specific variant and the likelihood of successful data recovery.

How Much Does Ransomware Decryptor Cost?

The only way to know precisely how much ransomware response will cost is to contact us for a free consultation.
The cost of our decryption will depend on the number of files and data. It also depends on the number of infected systems.

Why Use Our Akira Decryptor?

Affordable and Easy to Use.
Simple User-Interface.
Refund Guarantee (Terms & Conditions) will be applied.
High success rate in data recovery.
Live Support.

How Can I Prevent Ransomware Attacks?

Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures

Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). McafeeFireeye, and Sentinel One are all examples of antivirus software with these features. 

Install a Next-Gen Firewall. Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 
If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 
If you get hit by ransomware, a professional Ransomware recovery service can help to identify and patch security gaps

How Fast Can You Start With The Recovery?

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

How to Decrypt Vmware ESXI Server from Akira Ransomware?

Targeting VMware ESXi servers allows the attacker to encrypt multiple virtual machines at once, each of which possibly contains large amounts of company data. We have developed special Akira Decryptor by exploiting a flaw in the encryptor of Akira for Esxi Servers to decrypt all files such as vhdx, vmdk, and others.