New ransomware operation called Akira targets enterprise networks worldwide (15th May2023)

Ref# AL2023_32 | Date: May 15th 2023


The new Akira ransomware operation has been targeting enterprise networks worldwide, breaching network, encrypting files, and demanding million-dollar ransoms.


This ransomware operation was launched in March 2023. As of May 2023, approximately two (2) months from launch, the ransomware gang claims to have successfully breached sixteen (16) companies ranging from various industries in education, finance, real estate, manufacturing, and consulting. MalwareHunterTeam, the researchers behind the discovery of Akira stated that this new ransomware operation is not believed to be related to another ransomware operation of the same name, which was released in 2017.

According to, the ransomware is distributed primarily through infected email attachments, but it can also be found on files from torrent sites, malicious ads, or pirated software. When the ransomware is executed, it first deletes Windows Shadow Volume Copies on the infected device. Before encrypting, the ransomware gang would try to leverage corporate or sensitive data to use in their extortion attempts against the victims. Akira would then proceed to encrypt all files that contains the following extensions:

.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx

The ransomware would encrypt any of these files found and append the .akira extension to them. The Akira encryptor however would skip files located in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. It will also avoid encrypting Windows system files with.exe, .lnk, .dll, .msi, and .sys file extensions. It is suspected that this is intentional as the ransomware gang does not want to render the infected device inoperable. Each folder on the infected device will contain the ransom note named akira_readmw.txt which will include information on what occurred and links to the Akira data leak site and negotiation site. The ransom note provides a unique password for each of its victims to use to access the ransomwares negotiation website. This website is a chat room that is used to communicate with the threat actors.

Akira can also utilize the Windows Restart Manager API (Application Programming Interface) to terminate processes or Windows services that may be keeping a file active or open and preventing it from encryption.

Indicators of Compromise

MD5 hash – 431d61e95586c03461552d134ca54d16

SHA-256 – 67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4


To protect yourself against ransomware attacks like Akira, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:

  1. Be wary of emails with suspicious attachments.
  1. Because most ransomware attacks are delivered through phishing and scams, it is necessary that users know how to spot phishing and scam emails.
  1. Be wary of files downloaded from the internet. Any file should be downloaded by verified sources and scanned.
  1. It is recommended to avoid downloading torrents and pirated software.
  1. Be on the lookout for websites that may be compromised and attempt a drive-by download.
  1. Maintain regular backups of critical systems and data in the case of a ransomware attack.
  1. Restrict administrative and system access to users who do not require those privileges.
  1. Maintain and update all security software including anti-virus, anti-malware, firewalls, and endpoint protections.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Akira targets enterprise networks worldwide.pdf