Menu
Browse

Cyber Threat Actor: Akira

Actor Type Location Known Incidents
 Icon
Criminal
Russia
24 incidents
Profile

Akira is a ransomware threat actor operating under a single known alias, with suspected ties to Russia based on public attributions from incidents targeting Icelandic and Swedish entities. The group primarily engages in financially motivated cyberattacks through double extortion ransomware tactics, encrypting victim systems while exfiltrating data to pressure payment. Their confirmed targets span education (Middlesex County Public Schools, Mercer University, Chattanooga State Community College), local government (Kalmar kommun municipality), transportation (Split Saint Jerome Airport), media (Árvakur), manufacturing (Hitachi Vantara, Fiskars Group), retail (Rusta, DENHAM the Jeanmaker), legal services (Singapore law firm), construction (Verhelst Group), and IT services (Tietoevry). Operational disruptions feature prominently in their attacks, including forced manual processing at critical infrastructure sites, halted production lines, and extended media broadcasting outages. Akira employs Bitcoin-denominated ransom demands, with negotiations documented in at least one case reducing an initial $2 million demand to $1.89 million.

Public reporting consistently identifies Akira's use of data encryption paired with theft of internal information, threatening leaks if ransoms remain unpaid. The group has impacted organizations across Europe, Asia, and North America, with notable incidents including the paralysis of Croatian airport operations during peak tourist season, the compromise of Icelandic media outlets described as national security threats, and the exfiltration of government-related project data from Hitachi Vantara. Law enforcement agencies from multiple nations, including Europol and the FBI, have collaborated on investigations into Akira's activities. While the group's structure remains undefined, its repeated targeting of municipal services and critical operational technology aligns with broader criminal ransomware objectives rather than exclusively state-sponsored goals, though Icelandic authorities explicitly linked the Árvakur attack to Russian actors. Akira continues to threaten diverse sectors through adaptable extortion campaigns.

Incidents
Attributed incidents available to members
24 incidents
Sources
Sources available to members
3 sources