Skip to main content

Operator dossier

Akira (also tracked as Megazord) is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,672 public victims claimed by this operator between April 26, 2023 and July 13, 2026. Akira is a ransomware group that emerged in April 2023, operating with primarily financial motivations and has rapidly established itself as a significant threat actor with over 1,500 documented victims. The group's country of origin remains unclear, though they operate as a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiation processes. Akira employs multi-faceted attack methodologies including exploitation of VPN vulnerabilities, particularly targeting Cisco VPN appliances, and utilizes living-off-the-land techniques along with legitimate administrative tools to avoid detection, while implementing double extortion tactics by exfiltrating sensitive data before deploying their encryption payload. The group has demonstrated a preference for targeting organizations in the United States, Canada, Germany, United Kingdom, and Italy, with a particular focus on manufacturing, business services, technology, and construction sectors, though they have shown willingness to attack various industries. Despite being relatively new to the ransomware landscape, Akira has maintained consistent operations throughout 2023 and into 2024, with law enforcement agencies including CISA and FBI issuing advisories about their activities, though no major disruption operations have been publicly reported against the group as of late 2024.

Most-targeted sectors

Most-affected countries

Recent disclosures by Akira

Most recent 150 of 1,672 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Akira

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Akira

aka Megazord · 1,672 victims indexed · first seen 3 years ago · last activity 2 days ago

1,672
Victims indexed
#6 of 364 tracked operators
3y 3m
Active period
Apr 2023 → Jul 2026
30
Countries hit
top United States · 937

At a glance

Status
active
Aliases
Megazord
First seen
3 years ago
Last activity
2 days ago
Onion sites
5 known endpoints
Primary sector
Not Found · 358 hits

About

Akira is a ransomware group that emerged in April 2023, operating with primarily financial motivations and has rapidly established itself as a significant threat actor with over 1,500 documented victims. The group's country of origin remains unclear, though they operate as a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiation processes. Akira employs multi-faceted attack methodologies including exploitation of VPN vulnerabilities, particularly targeting Cisco VPN appliances, and utilizes living-off-the-land techniques along with legitimate administrative tools to avoid detection, while implementing double extortion tactics by exfiltrating sensitive data before deploying their encryption payload. The group has demonstrated a preference for targeting organizations in the United States, Canada, Germany, United Kingdom, and Italy, with a particular focus on manufacturing, business services, technology, and construction sectors, though they have shown willingness to attack various industries. Despite being relatively new to the ransomware landscape, Akira has maintained consistent operations throughout 2023 and into 2024, with law enforcement agencies including CISA and FBI issuing advisories about their activities, though no major disruption operations have been publicly reported against the group as of late 2024.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 342024-08-01T00:00:00+00:00 · 72024-09-01T00:00:00+00:00 · 172024-10-01T00:00:00+00:00 · 162024-11-01T00:00:00+00:00 · 882024-12-01T00:00:00+00:00 · 542025-01-01T00:00:00+00:00 · 752025-02-01T00:00:00+00:00 · 842025-03-01T00:00:00+00:00 · 632025-04-01T00:00:00+00:00 · 682025-05-01T00:00:00+00:00 · 382025-06-01T00:00:00+00:00 · 372025-07-01T00:00:00+00:00 · 432025-08-01T00:00:00+00:00 · 592025-09-01T00:00:00+00:00 · 542025-10-01T00:00:00+00:00 · 712025-11-01T00:00:00+00:00 · 872025-12-01T00:00:00+00:00 · 712026-01-01T00:00:00+00:00 · 582026-02-01T00:00:00+00:00 · 472026-03-01T00:00:00+00:00 · 752026-04-01T00:00:00+00:00 · 492026-05-01T00:00:00+00:00 · 432026-06-01T00:00:00+00:00 · 18
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
937
🇨🇦 Canada
79
🇩🇪 Germany
69
🇬🇧 United Kingdom
49
🇺🇸 United States
34
🇮🇹 Italy
33
🇨🇭 Switzerland
23
🇪🇸 Spain
23

Top sectors

Manufacturing
289
Business Services
197
Technology
123
Construction
92
Agriculture and Food Production
65
Financial Services
61
Transportation/Logistics
54
Healthcare
52

MITRE ATT&CK

5 techniques · 5 tactics

Tactics

Initial AccessExecutionCredential AccessLateral MovementImpact

Techniques

  • T1133External Remote Services
  • T1078Valid Accounts
  • T1059Command and Scripting Interpreter
  • T1003OS Credential Dumping
  • T1486Data Encrypted for Impact

Indicators of compromise

Known tools

MimikatzLaZagneAnyDeskWinRARRClone

Detection · YARA rules

1 rule
  • Akira_Ransomware

    Detects Akira ransomware

    source: CISA AA24-109A

Recent victims

Loading…

Onion infrastructure

5 known
  • http://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
  • http://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
  • http://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/
  • https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n
  • https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/

Source

Updated 2 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Akira posts a victim.

Add Akira to your watchlist — Pro pings you within 5 minutes of any new Akira leak-site post, Telegram callout, or affiliate-rebrand inference.