Akira Ransomware 2025: New TTPs, BYOVD and Edge Exploits

CISA’s #StopRansomware guidance on Akira has entered a new phase: what began as a 2024 joint advisory documenting Akira’s early tradecraft has been augmented throughout 2025 by vendor and incident-response reporting that documents faster, more evasive encryptors (Akira_v2/Megazord), widespread exploitation of edge‑device and backup server flaws, and the routine use of BYOVD and signed‑driver abuse to defeat endpoint defenses. While the original CISA advisory (AA24‑109A) remains an authoritative baseline for Akira TTPs, independent intelligence from vendors and technical teams in 2025 shows important operational changes—new loader/malware families (Poortry/STONETOP/STONESTOP), remote access abuse (Ngrok/SystemBC), and exploitation of backup software such as Veeam—that materially raise the stakes for Windows and virtualized environments, especially organizations that expose VPNs, backup appliances, or management interfaces to the internet.

---

Background / Overview​

Akira is a financially motivated ransomware family first tracked in 2023 that quickly evolved from a Windows‑only encryptor (.akira) into a multi‑platform toolkit that targets both endpoints and virtualization infrastructure (Rust‑based Megazord and Akira_v2 for VMware ESXi). The initial CISA/FBI/EC3/NCSC‑NL joint advisory (AA24‑109A) documented these early shifts and mapped Akira activity to MITRE ATT&CK techniques to help defenders build detections and playbooks. Throughout 2024–2025, Akira operators have increasingly leveraged:

• Vulnerable internet‑facing appliances (VPN/SSL appliances) and misconfigured services for initial access.
• Credential stuffing and brute‑force against exposed management interfaces.
• Tooling to exfiltrate data (FTP/SFTP/cloud transfer tools) prior to encryption—enabling double‑extortion.
• Kernel‑level evasion via Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) techniques and signed vulnerable drivers.

Independent reporting in 2025 highlights an acceleration of these trends: SonicWall/SSL‑VPN flaws and multiple Veeam Updater / backup‑server RCE CVEs have been observed in Akira incidents, and new EDR‑bypass toolkits (Poortry and variants) are increasingly present across ransomware campaigns.

---

What changed in 2025: key tradecraft updates​

Initial access: edge appliance and backup server exploitation​

Akira historically gained initial access through VPNs lacking MFA and known VPN bugs (Cisco AnyConnect/APIs). In 2025 the pattern intensified: operators exploited unpatched SonicWall appliances (notably exploitation of CVE‑2024‑40766 and other SonicWall issues) and leveraged RCEs against backup appliances (notably Veeam Updater/backup server vulnerabilities) to move directly to backup datasets or management planes. These paths let attackers obtain admin credentials or persistent access without traditional phishing.

• Why it matters: backbone infrastructure (VPNs, backup servers) frequently holds long‑lived credentials and privileged tokens; compromise here short‑circuits many defensive models.

Discovery and lateral movement: fast, CLI‑driven reconnaissance​

After access, attackers perform aggressive discovery using command‑line utilities and living‑off‑the‑land binaries (PowerShell, WMI, Impacket tools) to enumerate domain controllers, shares, and backup endpoints. This reinforces the need for anomalous command/PowerShell monitoring and cross‑telemetry hunting across network and endpoint logs.

Defense evasion: remote‑support abuse and EDR killers​

Akira operators now frequently use legitimate remote‑support and remote‑management tools (AnyDesk, LogMeIn) to blend activity with normal admin operations, and to hide lateral movement and privilege‑escalation actions. Separately, the rise of BYOVD attacks—where adversaries load signed but vulnerable kernel drivers (Bring‑Your‑Own‑Vulnerable‑Driver) to obtain kernel access and disable EDR—has been widely reported and incorporated into ransomware playbooks in 2025. Reports of a kernel‑level toolkit labeled “Poortry / Poortry‑style” that deletes or disables EDR components surfaced across multiple vendor writeups in 2025.

• Practical implication: simple AV/endpoint signature checks are insufficient; attacks can leverage signed drivers and remove/overwrite security components at the kernel level.

Privilege escalation: BYOVD and backup server exploits​

Besides credential dumping (LSASS, NTDS), attackers are using BYOVD flows to escalate to SYSTEM and disable protections. Veeam backup vulnerabilities (multiple disclosures in 2025 including critical Updater RCEs) have been weaponized to overwrite or tamper with backups—rendering restore plans unreliable unless backups are isolated and immutable.

Command & control and loaders: Ngrok, SystemBC, STONETOP/STONESTOP​

Operators use encrypted tunnel services (Ngrok) and commodity trojans (SystemBC) to manage C2 sessions. Recent reporting also attributes staged loader components—documented under names like STONETOP / STONESTOP in vendor telemetry—that deliver Akira payloads and support kernel‑level dropper activity. These multi‑stage loaders make network attribution harder and increase the use of cloud or hosting provider infrastructure for initial C2.

Exfiltration and impact: data theft then encryption (double extortion)​

Akira incidents increasingly combine targeted exfiltration (FTP/SFTP, cloud uploads, and direct staging to external hosts) prior to encryption. Attackers then publish sample data on leak sites to pressure victims into paying. This pivot away from pure encryption toward extortion‑first models is visible across incident data in 2025.

Encryption: Akira_v2 and faster, more destructive encryptors​

Variants labeled Akira_v2 and Megazord (Rust‑based) are designed for speed and multi‑platform support (Windows, Linux/ESXi). These variants incorporate multi‑threading, selective file‑targeting, and anti‑recovery actions (Volume Shadow Copy deletion, log clearing), increasing encryption speed and complicating recovery. Vendor telemetry shows affiliates choosing the variant most effective for the victim’s environment (ESXi vs Windows).

---

Verification and what’s (not) confirmed: a reality check​

• Confirmed: CISA’s AA24‑109A Akira advisory (April 18, 2024) remains a core government reference and describes Akira’s early multi‑architecture behavior, Megazord, and Akira_v2.
• Corroborated by vendors: Multiple vendor and incident reports published through 2025 (Veeam/Coveware, F5, Silobreaker, threat‑intelligence summaries) document active exploitation of VPN and backup server vulnerabilities, the use of Ngrok/SystemBC, and BYOVD‑style EDR bypass techniques such as “Poortry.” These claims are corroborated by at least two independent vendor sources in each case.
• Unverified / caution: a discrete CISA page update dated November 13, 2025 (as an official release) could not be located in public CISA advisory indexes at the time of review; public reporting in November 2025 documents active exploitation trends and vendor advisories, but defenders should treat any specific textual claims attributed to an unavailable CISA update as requiring direct confirmation from CISA’s site or the original advisory PDF. Where a claim could not be cross‑checked against an official CISA posting, the analysis flags that as unverified and recommends confirmation directly from CISA before acting on agency‑attributed policy.

---

Practical mitigations (priority checklist)​

Apply these measures immediately—prioritized for defenders who operate Windows, VMware ESXi, or backup infrastructure.

• Patch and harden exposed appliances first (VPNs, firewalls, backup servers).
• Prioritize SonicWall SSL‑VPN, Cisco VPN appliances, and known Veeam Updater RCE fixes; verify mitigation state across all appliance firmware versions.
• Enforce phishing‑resistant MFA for all remote access and admin accounts.
• Move away from SMS/OTP push where possible; use certificate or hardware MFA.
• Isolate and protect backups.
• Maintain immutable, air‑gapped or WORM‑capable backups; ensure backups cannot be mounted or overwritten by privileged accounts tied to production domains.
• Block and monitor vulnerable signed drivers (BYOVD defenses).
• Use Microsoft’s vulnerable driver blocklist and enable Hypervisor‑Protected Code Integrity (HVCI) / Memory Integrity where feasible; log and alert on driver loads and unsigned module installs.
• Harden remote management and limit remote‑support use.
• Restrict AnyDesk/LogMeIn to jump hosts with MFA and device posture checks; log and alert for new agent installs.
• Deploy behavior‑centric EDR and network telemetry.
• Hunt for unusual PowerShell/WMIC/Impacket usage, unexpected ngrok or SystemBC network flows, and sudden mass file‑access patterns consistent with fast encryption.
• Rotate credentials and enforce least privilege.
• After any firmware migration or wide vendor patching, force credential rotation for service, admin, and backup accounts—attackers have reused migrated credentials in known incidents.
• Quick wins for small teams:
• Disable RDP/SSH on internet‑facing hosts; place admin ports behind VPNs with certificate restrictions.
• Ensure EDR agents are tamper‑protected and monitor for process terminations and driver loads.

---

Detection playbook: hunting recipes and indicators​

• Look for SSL VPN logins from hosting provider ASNs followed by internal scanning and SMB/Impacket activity.
• Detect rapid creation of new domain accounts or unexpected admin account creation outside change windows.
• Alert on ngrok or unusual TLS tunnels from endpoints, and connections associated with SystemBC patterns.
• For BYOVD: log DeviceIoControl/IOCTL calls and new driver loads; alert on loads of known vulnerable driver hashes or drivers not present in baseline.
• Check backups for unexpected file‑access patterns or deletion attempts; ensure backups are scanned and validated offline before restore.

For SOCs, codify hunts into runbooks and practice tabletop exercises that force teams to triage a combined exfiltration + backup compromise scenario (double extortion).

---

Incident response priorities (ordered)​

• Contain: isolate affected hosts and disable compromised admin accounts.
• Preserve evidence: capture memory, image disks, and collect network logs for C2 attribution.
• Assess backup integrity: identify the most recent immutable offline copy; assume backups could be tampered with if backup credentials were exposed.
• Communicate: notify incident response partners, cyber‑insurance, and law enforcement per legal/regulatory obligations.
• Recover: prioritize restoring critical services from immutable backups and rebuild compromised domain controllers as needed.

---

Critical analysis: strengths, weaknesses, and risks​

Strengths in the current ecosystem​

• Coordinated disclosures (CISA + FBI + vendors) produce actionable mitigations that organizations can implement quickly.
• Vendors and independent researchers now publish IOCs and behavioral indicators faster, allowing SOCs to operationalize hunts across multiple telemetry sources.

Persistent weaknesses and risks​

• Reliance on vendor‑accessible backups (cloud‑stored configuration snapshots) creates systemic single points of failure when vendor credentials or backups are accessible; many incidents trace back to misconfigured cloud backup governance.
• BYOVD and signed driver abuse fundamentally exploit the trust model of signed kernel modules; defenders lack a perfect mitigation without architectural controls (driver blocklists, secure boot, HVCI).
• The window between disclosure and remediation remains the greatest operational risk—patches exist for many exploited CVEs (VPN, backup software), but delayed patching and credential reuse continue to fuel compromises.

Attribution and public claims​

• Attribution (Storm‑1567, Howling Scorpius, Punk Spider, Gold Sahara) can be fluid; these labels reflect clustering by different vendors and may overlap. Immediate defensive work must prioritize tactical controls and recovery rather than precise attribution. Several incidents show shared tooling and affiliate reuse across groups.

---

Closing assessment and recommendations​

The Akira threat demonstrates a modern ransomware playbook that mixes opportunistic mass exploitation (edge devices, VPN flaws) with surgical techniques (BYOVD, kernel drivers, ESXi targeting). The most effective defense is assume compromise and posture accordingly: prioritize immutable offline backups, enforce phishing‑resistant MFA across all remote management, patch appliances and backup servers on a prioritized cadence, and monitor for the specific behavioral indicators described above.
Action for security leaders:

• Execute an urgent, prioritized patch and credential rotation campaign for internet‑exposed VPN/firewall/backup appliances.
• Validate backup immutability and offsite restores within 7–30 days.
• Review driver install policies and enable kernel integrity protections where possible.
• Implement detection rules that map directly to the ATT&CK techniques enumerated in CISA’s advisory and vendor playbooks; practice the playbooks in tabletop exercises.

Caveat: while the original CISA AA24‑109A advisory remains the foundational government guidance, many of the 2025 operational details (new toolnames, expanded exploitation of Veeam/SonicWall, Poortry/STONETOP behaviors) come from vendor telemetry and independent IR reporting—each claim was cross‑checked with multiple vendor sources where possible. Any organization acting on these findings should validate specific IOCs and vendor patch guidance directly against vendor advisories and the CISA advisory library before changing production controls.

---

Akira is not a static adversary: it evolves by adopting faster encryptors, kernel‑level evasion, and by weaponizing trusted infrastructure. Strong, layered defenses—patching, MFA, immutable backups, kernel‑integrity controls, and cross‑telemetry hunting—are the practical path to reducing risk and preserving recoverability against this persistent ransomware threat.

---

Source: CISA CISA and Partners Release Advisory Update on Akira Ransomware | CISA