Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Akira Ransomware Activity
-
Prioritize remediating known exploited vulnerabilities.
-
Enable and enforce phishing-resistant multifactor authentication (MFA).
-
Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process.
Summary
This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit StopRansomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Note: Originally published April 18, 2024, this advisory was updated Nov. 13, 2025, with information on new Akira ransomware activity that presents an imminent threat to critical infrastructure. Updated information is labeled with “Update Nov. 13, 2025” at the beginning and “End Update” at the end of sections that include substantive new information, such as new Akira threat actor activity, TTPs, and IOCs.
Update Nov. 13, 2025:
The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), and Department of Health and Human Services (HHS); Europol’s European Cybercrime Centre (EC3); France’s Office Anti-Cybercriminalite (OFAC) – French Cybercrime Central Office; Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg; and the Netherlands’s National Cyber Security Centre (NCSC-NL)—hereafter referred to as the “authoring organizations”—are releasing this joint advisory to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third-party reporting as recently as November 2025.
Akira ransomware threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have connections to the defunct Conti ransomware group. Akira threat actors primarily target small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.
