FBI: Akira gang has received nearly $250 million in ransoms
Summary
US and European agencies updated an April 2024 advisory to share fresh details about the Akira ransomware gang, which has been targeting small- and medium-sized organisations since 2023. The advisory says Akira has raked in more than $244 million in ransom proceeds as of late September and outlines new tactics, exploited vulnerabilities and mitigation steps.
The update was produced with input from the FBI, the Department of Defense, HHS, CISA, Europol and law enforcement partners in France, Germany and the Netherlands. It highlights that Akira targets manufacturing, education, IT and healthcare, abuses VPN and remote-access tools, and can steal data within hours of gaining initial access.
Key Points
- Akira is credited with over $244 million in ransom payments as of late September 2025.
- Authorities updated guidance with new tactics, including exploitation of VPN vulnerabilities such as CVE-2024-40766 and credential theft.
- Initial access methods include stolen VPN credentials, brute-forcing, credential stuffing/password spraying and use of initial access brokers.
- Attackers abuse remote-access tools (AnyDesk, LogMeIn) and have been observed uninstalling endpoint detection and response (EDR) software.
- In some cases, Akira actors exfiltrated data within two hours of initial access.
- Akira has links to the defunct Conti group — researchers have found similarities in code and blockchain ties to Conti-related wallets.
- Notable victims include BK Technologies, Stanford University, the Toronto Zoo and others across multiple sectors and countries.
Context and Relevance
This advisory is significant because it consolidates multi-agency intelligence on a prolific affiliate-style ransomware group and provides actionable mitigation advice. The tactics described — VPN compromise, rapid data theft, remote-access abuse and EDR evasion — mirror broader ransomware trends that emphasise speed and stealth to maximise leverage for extortion.
Organisations in manufacturing, education, healthcare and IT should treat the advisory as a prompt to review VPN configurations, enforce multifactor authentication, patch known CVEs, monitor for anomalous remote-access activity and prepare incident response plans. The guidance also includes specific resources for k-12 schools affected by Akira incidents.
Why should I read this?
Short version: if your organisation uses VPNs, AnyDesk/LogMeIn or relies on EDR, this is relevant — and fast. The advisory lays out exactly how Akira breaks in, how quickly they can steal data, and what agencies recommend to stop them. We skimmed the official briefing so you don’t have to: the key fixes are simple but urgent (patch VPNs, force MFA, check remote-access logs, test restore procedures).
Author’s take (punchy): This isn’t just another ransomware story — it’s a how-to on what attackers do the moment they’re inside. If you manage security, treat this as a checklist and get the basics hardened today.