Prepared by: Richard Grainger, Global Head of Digital Forensics
Akira is a financially motivated ransomware group that has been actively targeting Australian organisations. In the 2024–25 financial year, Akira named seven Australian victims on its dark web leak site — placing it alongside Sarcoma and Qilin as one of the most active ransomware groups operating in this region. Triskele Labs has directly responded to nine Akira-related incidents, making it one of only ten groups for which Triskele Labs handled more than one engagement in FY25.
That firsthand experience paints a consistent picture: Akira affiliates are methodical, patient, and deliberate. They don't just encrypt and run. They steal data first, destroy backups, and then apply sustained psychological pressure to force payment — through ransom notes, emails to staff, and in some cases direct phone calls to victims.
This article breaks down how Akira operates, what Triskele Labs has observed across those nine incidents, and what organisations can do to reduce their exposure.
Akira operates under a ransomware-as-a-service (RaaS) model, meaning the core group provides tooling and infrastructure to a network of affiliates who carry out the actual attacks in exchange for a share of ransom payments. This structure means tactics can vary slightly between affiliates, but a consistent pattern has emerged across the incidents Triskele Labs has responded to.
SSL VPN portals are web-based gateways that allow employees to connect to a company's internal network remotely — the same type of system many organisations relied on heavily during the shift to hybrid work. RDP (Remote Desktop Protocol) is a Microsoft technology that allows someone to remotely control a computer over a network, commonly used by IT staff and service providers to manage systems without being physically present.
When these services are exposed to the internet without multi-factor authentication (MFA), they become targets. Akira affiliates conduct password spraying — a technique where attackers try a small number of commonly used passwords across a large number of accounts, avoiding lockouts while systematically working through potential credentials. Once a valid set of credentials is found, they're in.
This isn't a novel technique, but it continues to succeed at scale. Across all ransomware incidents Triskele Labs responded to in FY25, VPN and RDP without MFA accounted for 60% of initial access vectors. Akira's targeting of these pathways is consistent with that broader trend.
Across the nine incidents Triskele Labs has responded to, Akira affiliates followed a recognisable pattern of deliberate, staged compromise.
Once inside the network, affiliates conduct discovery activity to understand the environment — mapping systems, identifying domain accounts, locating backup infrastructure, and finding where sensitive data is stored. Credential theft is a priority: Akira affiliates are observed accessing LSASS memory (a Windows process that stores authentication credentials in memory), the Active Directory database (NTDS), and using a technique called DCSync which mimics a domain controller to pull down password hashes from across the network. They also harvest credentials stored in web browsers and Windows Credential Manager.
With credentials in hand, affiliates move laterally through the environment using legitimate remote access tools — RDP, SMB admin shares (Windows file and printer sharing), SSH, and WinRM (Windows Remote Management). Pass the Hash is also observed, a technique where stolen password hashes are used directly to authenticate without needing to crack the underlying password.
To maintain access if initial entry points are discovered and closed, affiliates create local accounts, register scheduled tasks, and modify Windows services — all techniques that allow them to re-enter the environment or continue executing code even after partial remediation.
Before encryption, affiliates identify, collect, and archive sensitive data from local systems and network shares. Rclone — a command-line tool designed for syncing files between local systems and cloud storage services like Google Drive, Dropbox, or Amazon S3 — is commonly used to transfer this data out of the environment. While Rclone is a legitimate tool used by IT teams for backup and migration tasks, it is regularly repurposed by threat actors for large-scale data theft because it blends in with normal cloud traffic. WinSCP, a graphical file transfer client, and other tools supporting web protocols and alternative channels are also used.
Concurrently, affiliates identify and remove or corrupt backup files — specifically to prevent the organisation from recovering without paying.
With data exfiltrated and backups gone, affiliates deploy ransomware across Windows, Linux, and ESXi (VMware's bare-metal virtualisation platform used to run virtual machines) environments. Victims are then contacted with demands: pay for a decryption tool, and pay to prevent the stolen data from being published on Akira's dark web leak site.
In some cases, this escalates further. Triskele Labs has observed affiliates sending persistent emails to staff and making direct phone calls to victim organisations — including to reception lines and leadership — to increase pressure. This triple-extortion approach is a deliberate tactic, not an afterthought.
The consistent entry points and techniques Akira affiliates use mean there are clear, actionable controls that reduce risk materially.
Akira is an active ransomware threat to Australian organisations. It was among the most prolific groups targeting Australian businesses in FY25, with seven domestic victims named publicly and nine incidents responded to directly by Triskele Labs. The group's affiliates are consistent in their approach: enter through unprotected VPN or RDP, harvest credentials, move laterally, steal data, destroy backups, encrypt, and then apply sustained pressure to force payment.
The controls that matter most are also consistent: MFA on all remote access, detection coverage for credential theft and lateral movement, isolated and tested backups, and monitoring for unusual data staging and outbound transfer activity.
MITRE ATT&CK Mapping
|
Tactic |
Technique |
Description |
|
Initial Access |
T1078.002 |
Valid Accounts: Domain Accounts |
|
Initial Access |
T1133 |
External Remote Services |
|
Initial Access |
T1199 |
Trusted Relationship (MSP access) |
|
Execution |
T1047 |
Windows Management Instrumentation (WMI) |
|
Execution |
T1059.003 |
Windows Command Shell |
|
Execution |
T1569.002 |
System Services: Service Execution |
|
Persistence |
T1053.005 |
Scheduled Task |
|
Persistence |
T1136.001 |
Create Local Account |
|
Persistence |
T1543.003 |
Create or Modify Windows Service |
|
Defence Evasion |
T1562.001 |
Disable or Modify Security Tools |
|
Defence Evasion |
T1218 |
System Binary Proxy Execution |
|
Credential Access |
T1003.001 |
OS Credential Dumping: LSASS Memory |
|
Credential Access |
T1003.003 |
OS Credential Dumping: NTDS |
|
Credential Access |
T1003.006 |
OS Credential Dumping: DCSync |
|
Credential Access |
T1555.003 |
Credentials from Web Browsers |
|
Lateral Movement |
T1021.001 |
Remote Desktop Protocol (RDP) |
|
Lateral Movement |
T1021.002 |
SMB/Windows Admin Shares |
|
Lateral Movement |
T1550.002 |
Pass the Hash |
|
Lateral Movement |
T1210 |
Exploitation of Remote Services |
|
Collection |
T1074 |
Data Staged |
|
Collection |
T1560.001 |
Archive Collected Data via Utility |
|
Exfiltration |
T1567.002 |
Exfiltration to Cloud Storage |
|
Exfiltration |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
|
Impact |
T1486 |
Data Encrypted for Impact |
|
TOOL |
PURPOSE |
|
Rclone |
A command-line file sync tool designed for cloud storage management; used by attackers to transfer stolen data to attacker-controlled cloud accounts |
|
WinSCP |
A graphical file transfer client for securely moving files between systems via SFTP, SCP, or FTP; used for exfiltration |
|
OpenSSH |
A widely used suite of tools that encrypts network communications using the SSH protocol; used for secure remote access and tunnelling |
|
WireGuard |
A modern, lightweight VPN protocol; used by affiliates to establish covert tunnels into victim environments |
|
DWService |
A browser-based remote access and system management tool; used to maintain persistent remote access |
|
ESXi |
VMware's bare-metal hypervisor for running virtual machines on a single physical server; targeted during the encryption phase to maximise operational impact |
|
Ntoskrnl |
The core Windows operating system kernel; referenced in the context of process injection and defence evasion techniques |
|
XWizard |
A native Windows utility for running configuration wizards; abused as a proxy to execute malicious payloads while appearing legitimate |
|
Palo Alto Firewall |
A next-generation network security appliance; observed in the context of VPN access exploitation |
Qilin
https://www.triskelelabs.com/blog/qilin-on-the-rise-what-australian-organisations-need-to-know
State of Cyber: TA
https://www.stateofcyber.com.au/report/dfir#threat-actors-are-getting-smarter.
Reinfection/persistence
https://www.triskelelabs.com/blog/how-threat-actors-regain-access-after-ransomware-attack
Kairos
https://www.triskelelabs.com/blog/kairos-changing-the-ransomware-playbook
