Operator dossier

Akira (also tracked as Megazord) is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,616 public victims claimed by this operator between April 26, 2023 and May 20, 2026. Akira is a ransomware group that emerged in April 2023, operating with primarily financial motivations and has rapidly established itself as a significant threat actor with over 1,500 documented victims. The group's country of origin remains unclear, though they operate as a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiation processes. Akira employs multi-faceted attack methodologies including exploitation of VPN vulnerabilities, particularly targeting Cisco VPN appliances, and utilizes living-off-the-land techniques along with legitimate administrative tools to avoid detection, while implementing double extortion tactics by exfiltrating sensitive data before deploying their encryption payload. The group has demonstrated a preference for targeting organizations in the United States, Canada, Germany, United Kingdom, and Italy, with a particular focus on manufacturing, business services, technology, and construction sectors, though they have shown willingness to attack various industries. Despite being relatively new to the ransomware landscape, Akira has maintained consistent operations throughout 2023 and into 2024, with law enforcement agencies including CISA and FBI issuing advisories about their activities, though no major disruption operations have been publicly reported against the group as of late 2024.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Akira

aka Megazord · 1,616 victims indexed · first seen 3 years ago · last activity 12 hours ago

1,616

Victims indexed

#4 of 348 tracked operators

3y 1m

Active period

Apr 2023 → May 2026

Countries hit

top United States · 676

At a glance

Status: active
Aliases: Megazord
First seen: 3 years ago
Last activity: 12 hours ago
Onion sites: 5 known endpoints
Primary sector: Not Found · 345 hits

About

Akira is a ransomware group that emerged in April 2023, operating with primarily financial motivations and has rapidly established itself as a significant threat actor with over 1,500 documented victims. The group's country of origin remains unclear, though they operate as a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiation processes. Akira employs multi-faceted attack methodologies including exploitation of VPN vulnerabilities, particularly targeting Cisco VPN appliances, and utilizes living-off-the-land techniques along with legitimate administrative tools to avoid detection, while implementing double extortion tactics by exfiltrating sensitive data before deploying their encryption payload. The group has demonstrated a preference for targeting organizations in the United States, Canada, Germany, United Kingdom, and Italy, with a particular focus on manufacturing, business services, technology, and construction sectors, though they have shown willingness to attack various industries. Despite being relatively new to the ransomware landscape, Akira has maintained consistent operations throughout 2023 and into 2024, with law enforcement agencies including CISA and FBI issuing advisories about their activities, though no major disruption operations have been publicly reported against the group as of late 2024.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2024-04-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

676

🇨🇦 Canada

🇩🇪 Germany

🇬🇧 United Kingdom

🇮🇹 Italy

🇨🇭 Switzerland

🇧🇷 Brazil

🇦🇺 Australia

United States dossier →Canada dossier →Germany dossier →United Kingdom dossier →

Top sectors

Not Found

345

Manufacturing

242

Business Services

160

Technology

102

Construction

Agriculture and Food Production

Transportation/Logistics

Financial Services

Not Found dossier →Manufacturing dossier →Business Services dossier →Technology dossier →

MITRE ATT&CK

5 techniques · 5 tactics

Tactics

Initial AccessExecutionCredential AccessLateral MovementImpact

Techniques

T1133External Remote Services
T1078Valid Accounts
T1059Command and Scripting Interpreter
T1003OS Credential Dumping
T1486Data Encrypted for Impact

Indicators of compromise

CVEs exploited

CVE-2023-20269 CVE-2024-40766

Known tools

MimikatzLaZagneAnyDeskWinRARRClone

Detection · YARA rules

1 rule

Akira_Ransomware
Detects Akira ransomware
source: CISA AA24-109A

Recent victims

Loading…

Onion infrastructure

5 known

http://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
http://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
http://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/

Source

Updated 12 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.