Akira ransomware poses imminent threat to critical infrastructure, CISA says

U.S. and international authorities are once again warning the healthcare sector about Akira ransomware threat actors, who have been aggressively targeting critical infrastructure entities since March 2023.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), HHS and international agencies updated a 2024 joint cybersecurity advisory with new information, stating that recent Akira ransomware activity "presents an imminent threat to critical infrastructure."

"Akira threat actors primarily target small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors," the updated advisory stated.

Akira ransomware threat actors are known to be associated with other notorious threat actor groups, including Storm-1567, Howling Scorpius, Punk Spider and Gold Sahara, as well as the defunct Conti ransomware group.

HHS has issued multiple alerts about Akira in recent years. Akira threat actors have attracted the attention of government agencies worldwide due to their aggressive tactics and high attack volume. From May 2023 to February 2024 alone, Akira threat actors conducted approximately 81 cyberattacks.

The group's activity has remained steady, with cyberattacks against critical infrastructure entities in North America, Europe and Australia.

According to the updated advisory, in June 2025, Akira threat actors abused a SonicWall vulnerability and encrypted Nutanix AHV VM disk files for the first time, expanding their capabilities.

As of late September 2025, Akira threat actors have claimed approximately $244.17 million in ransomware proceeds, CISA noted.

Akira threat actors have been observed stealing login credentials or exploiting vulnerabilities to gain access to VPN products. The group has also used password spraying techniques and spear phishing to achieve initial access.

Additionally, authorities have observed Akira threat actors creating new user accounts and adding those accounts to the administrator group to establish a strong foothold in the target environment. The threat actors may also use legitimate remote access tools, like AnyDesk or LogMeIn, to further infiltrate the compromised network.

"Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks and do not relay this information until contacted by the victim. Victims make ransom payments by using Bitcoin to cryptocurrency-wallet addresses provided by the Akira threat actors," the advisory stated.

"To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting."

As this pervasive threat continues to target healthcare and other critical infrastructure entities, CISA and the FBI are encouraging entities to prioritize remediating known vulnerabilities and implement strong credential and access management policies.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.