Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators of compromise, tactics, techniques, and procedures, and detection methods associated with Akira ransomware activity.
This advisory reflects new findings as of Nov. 13, 2025, highlighting Akira ransomware’s evolution and continued threat to critical infrastructure sectors. Akira ransomware threat actors, associated with groups such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, have expanded their capabilities, targeting small and medium-sized businesses as well as larger organizations across sectors including Manufacturing, Educational Institutions, Information Technology, Healthcare, Financial, and Food and Agriculture.
Key Updates:
- Initial Access: Threat actors exploit vulnerabilities in edge devices and backup servers, such as authentication bypass, cross-site scripting, buffer overflow, and compromise credentials through brute-force techniques.
- Discovery: Threat actors use command line techniques to accomplish network and domain discovery.
- Defense Evasion: Threat actors use remote management and monitoring tools such as Anydesk and LogMeIn to mimic administrator activity, and modify firewall settings, terminate antivirus processes and uninstall EDR systems.
- Privilege Escalation: Threat actors deploy POORTRY malware to modify BYOVD configurations on vulnerable drivers, create administrator accounts, steal administrator login credentials, and bypass VMDK protections, as well as exploit Veeam vulnerabilities.
- Lateral Movement: Threat actors use remote access tools and protocols like RDP, SSH, and steal Kerberos authentication tickets to move within networks.
- Command and Control: Threat actors use Ngrok to establish encrypted sessions, SystemBC malware as a remote access trojan, and STONETOP malware to deploy Akira payloads.
- E
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: