Akira Ransomware Group Achieves Sub-One-Hour Attack Lifecycle, Researchers Report
Halcyon researchers report that the Akira ransomware group Akira can complete the entire attack lifecycle in under one hour, using intermittent encryption and zero-day exploits to maximize speed and evade detection.
Security researchers at Halcyon have documented a new milestone in ransomware velocity: the Akira group can now complete an entire attack lifecycle in under one hour, with some operations finishing in less than four hours. The findings, published in a new report, highlight how the group's focus on speed and stealth is enabling it to generate an estimated $244 million in ransom payments since its emergence in March 2023.
Akira typically gains initial access by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those lacking multi-factor authentication (MFA). The group has targeted devices from SonicWall, Veeam, and Cisco, but also employs credential theft, spearphishing, password spraying, and initial access brokers (IABs). Halcyon notes that Akira is one of the more sophisticated ransomware operations, with suspected former Conti hackers now involved in its activities.
Following initial access, Akira follows a classic double-extortion model, exfiltrating data before encrypting files. The group uses living-off-the-land tools such as FileZilla, WinRAR, WinSCP, and RClone for data staging and encryption, while disabling security software to evade detection. A key differentiator is Akira's use of intermittent encryption, sometimes set as low as 1% of a file, which dramatically speeds up the encryption process and maximizes impact across all devices in a short duration.
Halcyon's report emphasizes that Akira's combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators. The group is described as "more stealthy and less aggressive" than other groups such as Play, relying on zero-day exploits and compromised credentials for covert access.
The US government has attributed $244 million in ransom payments to Akira since its appearance in March 2023, underscoring the financial impact of the group's operations. The speed of these attacks poses a significant challenge for defenders, as traditional detection and response mechanisms may not be able to keep pace with a sub-one-hour attack lifecycle.
To mitigate the threat from Akira and similar groups, Halcyon recommends a layered defense strategy. This includes hardening against initial access by securing trusted relationships and third-party pathways, limiting lateral movement and credential abuse, monitoring for data staging and exfiltration, protecting against encryption impact through tested recovery processes, and deploying dedicated anti-ransomware solutions that block malicious binaries pre-execution and detect runtime behaviors.
The report serves as a stark reminder that ransomware groups continue to evolve their tactics, prioritizing speed and efficiency to maximize damage and extortion potential. Organizations must adapt their defenses accordingly to counter these increasingly rapid attacks.