CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

First reported
Last updated
5 unique sources, 9 articles

Summary

Hide ▲

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024, with Akira and Cl0p remaining the most active ransomware-as-a-service (RaaS) groups. Akira’s operational tempo has accelerated dramatically, with threat actors now completing attack lifecycles in under four hours and, in some cases, less than one hour. The group leverages vulnerabilities in VPN appliances and backup solutions—particularly SonicWall, Veeam, and Cisco devices lacking multi-factor authentication (MFA)—as well as credential theft, spearphishing, and initial access brokers (IABs) for initial access. Akira employs double-extortion tactics, exfiltrating data prior to encryption while evading detection through disabling security software and using living-off-the-land tools. The group’s rapid compromise capabilities, disciplined operational tempo, and hybrid encryption schemes enable maximum impact in minimal time, contributing to its sustained profitability with illicit proceeds estimated at $244.17m since March 2023. Akira has also expanded its targeting to Nutanix AHV virtual machines, further diversifying its attack surface. Akira’s activity has consistently targeted manufacturing and technology sectors, with the US being the most affected region. The RaaS model has enabled lower-skilled actors to participate, amplifying the surge in ransomware incidents. New tactics include pure extortion without encryption, AI-assisted phishing, and exploitation of vulnerabilities such as CVE-2024-40766 in SonicWall devices. The Australian Cyber Security Centre (ACSC) has acknowledged Akira’s targeting of Australian organizations through SonicWall devices, while incomplete remediation of CVE-2024-40766 has fueled renewed exploitation. Akira’s dwell times are among the shortest recorded for ransomware, often measured in hours, and the group has demonstrated significant evolution in its tactics, including encrypting Nutanix AHV virtual machine disk files and leveraging tools like Ngrok for encrypted command-and-control channels. Akira’s ransomware proceeds since late September 2025 exceed $244m, underscoring the group’s operational sophistication and financial impact.

Timeline

  1. 14.11.2025 00:32 2 articles · 4mo ago

    Akira Expands to Target Nutanix AHV Virtual Machines

    In June 2025, Akira ransomware expanded its encryption capabilities to target Nutanix AHV virtual machines, encrypting .qcow2 disk files. Akira threat actors have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts for reconnaissance, lateral movement, and persistence. Akira has exfiltrated data in as little as two hours during some attacks. Akira has used tunneling tools such as Ngrok to establish encrypted command-and-control channels. Akira has exploited CVE-2023-27532 and CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to gain access and delete backups. Akira has been observed copying VMDK files from domain controller VMs to extract NTDS.dit files and SYSTEM hives for domain administrator access. Akira ransomware operators use sophisticated hybrid encryption schemes to lock data, appending encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users).

    Show sources
    Open in new tab
  2. 11.09.2025 13:33 7 articles · 6mo ago

    Akira Exploits SonicWall Vulnerabilities and Misconfigurations

    Security researchers at Halcyon reported that Akira ransomware has demonstrated the capability to complete an entire attack lifecycle in less than four hours, with some incidents occurring in under one hour without detection. This development highlights Akira’s continued reliance on vulnerabilities in VPN appliances and backup solutions—particularly SonicWall devices lacking multi-factor authentication (MFA)—as well as credential theft and initial access brokers for initial access. The group’s operational tempo and stealthy tactics, including disabling security software and using living-off-the-land tools, further underscore its adaptability and sophistication in evading detection.

    Show sources
    Open in new tab
  3. 28.08.2025 21:49 9 articles · 7mo ago

    Akira and Cl0p Lead Ransomware Attacks in 2025

    Security researchers at Halcyon reported that Akira ransomware has demonstrated the capability to complete an entire attack lifecycle in less than four hours, with some incidents occurring in under one hour without detection. This represents a critical advancement in ransomware velocity, attributed to Akira’s stealthy tactics, rapid compromise capabilities, and disciplined operational tempo. Akira leverages vulnerabilities in VPN appliances and backup solutions—particularly SonicWall, Veeam, and Cisco devices lacking multi-factor authentication (MFA)—as well as credential theft, spearphishing, and initial access brokers (IABs) for initial access. Akira employs double-extortion tactics, exfiltrating data prior to encryption while evading detection through disabling security software and using living-off-the-land tools. The group’s rapid compromise capabilities, disciplined operational tempo, and hybrid encryption schemes enable maximum impact in minimal time. Akira has also expanded its targeting to Nutanix AHV virtual machines, further diversifying its attack surface.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

Open in new tab

Ransomware Attack on Advantest Corporation

Advantest Corporation, a major supplier of automatic test equipment for the semiconductor industry, detected a ransomware attack on February 15, 2026. The company confirmed an IT network intrusion and activated incident response protocols. Preliminary findings suggest unauthorized access and ransomware deployment, but the extent of data exfiltration remains unclear. No ransomware group has claimed responsibility yet. Advantest employs over 7,500 people, has an annual revenue of more than $5 billion, and a market capitalization of $120 billion. The company serves key chipmakers like Intel, Samsung, and TSMC. The attack follows recent ransomware incidents in the semiconductor sector and new Japanese government OT security guidelines for semiconductor factories.

Open in new tab

Increase in Ransomware Victims Despite Decline in Active Groups

Ransomware attacks surged in Q4 2025, with a 50% increase in victim organizations compared to the previous quarter and a 40% rise year-over-year. Despite a decline in the number of active ransomware groups, top-tier operators like Qilin, Akira, and Sinobi intensified their activities, focusing on rapid execution to avoid detection. Qilin led with over 450 victims, including Asahi, while Sinobi saw a 300% surge in data-leak site listings, emerging as a significant threat.

Open in new tab

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Open in new tab