🇷🇺 Akira

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as RedBike

CategoryRansomware-as-a-Service

AttributionPossible Conti lineage (links to Storm-1567 / Howling Scorpius)

First seenMarch 2023

StatusActive

Rank#5

Recent victims · last ~9d10

All-time victims1531

Primary targetsSMBs, Manufacturing, Healthcare, Education

Overview

Akira is a Ransomware-as-a-Service operation that emerged in March 2023 and is the subject of a #StopRansomware CISA/FBI advisory (AA24-109A, updated Nov 2025) warning of an imminent threat to critical infrastructure. It has matured into one of the most active groups, claiming ~$244M in proceeds by late September 2025. Currently #3 with 184 claimed victims over the trailing three months, having expanded after the RansomHub / LockBit disruptions.

Tradecraft

• Initial access via SonicWall CVE-2024-40766, spear-phishing, password spraying, brute force, and purchased credentials from initial-access brokers.
• Tooling: Mimikatz, LaZagne, Advanced IP Scanner, AnyDesk for credential dumping, lateral movement and remote access.
• Disables security software, deletes backups, and specifically targets Veeam and VMware/ESXi infrastructure to maximise impact.

Notable recent victims

• Golfview Developmental Center (US healthcare / disability services)
• InSite Architects (US)
• Multiple US architecture / industrial-equipment SMBs (mid-June 2026 DLS batch)

Assessment

A relentless SMB-and-mid-market threat with a mature virtualization-targeting playbook. The active CISA advisory and Veeam/ESXi focus make backup integrity and edge-VPN patching the priority defenses.

Sources

• CISA #StopRansomware: Akira (AA24-109A)
• Picus — Akira 2025: Updated CISA Advisory, TTPs
• HIPAA Journal — Akira advisory, Nov 2025

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 25 JMS Southeast Akira Ransomware · unknown · N/A 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed today · Sources: ransomware.live

Jun 25 Padget Technologies Akira Ransomware · unknown · N/A 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed today · Sources: ransomware.live

Jun 24 Jit Ex Akira Ransomware · unknown · N/A 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 1d ago · Sources: ransomware.live

Jun 24 Miami Machine Akira Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 1d ago · Sources: ransomware.live

Jun 23 Leo International Akira Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 2d ago · Sources: ransomware.live DLS

Jun 23 IH Engineers Akira Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 2d ago · Sources: ransomware.live DLS

Jun 22 Ntd Apparel Akira Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 18 Berg Lilly Akira Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 18 Apptricity Akira Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 17 Smith Filter Akira Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 8d ago · Sources: ransomware.live DLS

Jun 16 InSite Architects Akira Ransomware · architecture · US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 9d ago · Sources: ransomware.live DLS

Jun 16 Golfview Developmental Center Akira Ransomware · healthcare · disability services/US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 9d ago · Sources: ransomware.live DLS

Jun 15 ddcnyc.com Akira Ransomware · services · US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 10d ago · Sources: ransomware.live DLS

Jun 10 Port Air Express Akira Ransomware · logistics · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 15d ago · Sources: ransomware.live DLS

Jun 09 Spray Equipment & Service Center Akira Ransomware · industrial equipment · US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 16d ago · Sources: ransomware.live DLS

Jun 09 Rockaway River Country Club Akira Ransomware · hospitality · US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 16d ago · Sources: ransomware.live DLS

Jun 09 SMPC Architects Akira Ransomware · architecture · US 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 16d ago · Sources: ransomware.live DLS

Jun 09 Centre Ellipse Akira Ransomware · services · — 🟥 Claimed (leak-site) · 🇷🇺 Possible Conti lineage (links to Storm-1567 / Howling Scorpius) · #5 active · 1531 total · disclosed 16d ago · Sources: ransomware.live DLS

---

← All threat actors · Full victim database →