A joint cybersecurity advisory released on November 13, 2025 warned that the Akira ransomware group has sharply escalated its attacks on infrastructure.
The alert came from the FBI, CISA, DC3, HHS, and several international partners. Officials reported that Akira has collected more than $244 million in ransom payments since the group first appeared in March 2023. Akira initially attacked Windows systems but expanded in April 2023 with a Linux variant that targets VMware ESXi environments.
In June 2025, investigators documented the group’s first encryption of Nutanix AHV VM disk files after exploiting CVE-2024-40766, a SonicWall vulnerability. The updated advisory shows that Akira breaks into networks by using stolen credentials, spear phishing, brute-force attempts, and VPN services without MFA.
The group then uses tools like AnyDesk and LogMeIn to maintain persistence and carries out double extortion by stealing and encrypting data. Agencies warn that Akira poses an urgent threat to healthcare, education, financial services, manufacturing, and food and agriculture, and they urge organizations to patch vulnerabilities.
The HHS Health Sector Cybersecurity Coordination Center issued the “Akira Ransomware Analyst Note” on February 7, 2024, identifying Akira as “a relatively new ransomware gang that has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan.” According to the note, Akira was first identified in May 2023 (though some sources indicate earlier activity), and in less than a year had claimed at least 81 victims.
Researchers point to connections between Akira and the now-defunct Conti ransomware group, citing code- and finance-linked similarities. The group operates under a ransomware-as-a-service (RaaS) model in which affiliates carry out attacks while the operator handles extortion and leak-site operations.
“They also conduct double extortion; they steal sensitive data, deploy their ransomware, and then charge two fees.” Their targeting spans Windows and Linux systems, including virtualised infrastructure. While based in the US, Akira has a global reach across North America, Europe, Australia and other regions.
According to the joint advisory, “Akira ransomware threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have connections to the defunct Conti ransomware group. Akira threat actors primarily target small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.”
The group has claimed dozens of healthcare victims since its emergence and frequently exploits weak VPN configurations, stolen credentials, and unpatched systems, attack vectors that are common pain points in hospitals and clinics. These attacks create major risks for healthcare delivery because ransomware can shut down electronic health records, delay patient care, disrupt diagnostic systems, and trigger costly diversion of patients to other facilities. Stolen data also places patients at long-term risk of identity theft and extortion, especially when medical, insurance, and billing information is leaked.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Locker ransomware locks users out of their devices without encrypting individual files.
Double-extortion ransomware steals data before encrypting systems and threatens to leak it if the victim does not pay.
Triple-extortion ransomware adds pressure by attacking partners, customers, or threatening DDoS attacks to force payment.
RaaS is a criminal business model where developers lease ransomware tools to affiliates who carry out attacks.