{"id":70307,"date":"2023-09-07T17:20:18","date_gmt":"2023-09-07T16:20:18","guid":{"rendered":"https:\/\/www.n-able.com\/?p=70307"},"modified":"2026-03-30T11:00:31","modified_gmt":"2026-03-30T10:00:31","slug":"a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","title":{"rendered":"A Threat Actor&#8217;s Playbook: Behind the Scenes of Akira Ransomware"},"content":{"rendered":"<section class=\"av_textblock_section \">\n<div class=\"avia_textblock \">\n<p class=\"ai-optimize-8 ai-optimize-introduction\">In the world of cybercrime, a new player continues to rise: Akira Ransomware. With historical evidence pointing towards nation-state sponsorship, particularly from Chinese Advanced Persistent Threat (APT) groups, this insidious malware has been targeting businesses in the supply chain. However, what sets Akira apart is its focus on smaller tech companies and startups, which are often backed by wealthy investors and at the forefront of technological innovation.<\/p>\n<h2 class=\"ai-optimize-9\"><span>Insights<\/span><\/h2>\n<ul>\n<li class=\"ai-optimize-10\">Historical attack indicators point to nation-state-sponsored groups such as Chinese Advanced Persistent Threat (APT) groups using the new Akira ransomware to target businesses in the supply chain.<\/li>\n<li class=\"ai-optimize-11\">We have observed that Akira ransomware has been used against smaller tech companies\/startups since it debuted in March.\u00a0 These firms tend to develop innovative solutions using the latest technology and often have the backing of wealthy investors \u2013 all valuable information in the dark web.<\/li>\n<li class=\"ai-optimize-12\">Some of the IP addresses involved in an attack that we recently investigated were registered to Alibaba Cloud, a subsidiary of Alibaba Group, making the connection to Chinese APTs stronger.<\/li>\n<li class=\"ai-optimize-13\">Akira ransomware gains access through various attack vectors, including phishing campaigns and exploiting vulnerabilities in remote monitoring and management software (RMM). Notably, the actors behind these attacks also target vulnerabilities in VPN products, again hinting at potential involvement from Chinese APTs who have historically leveraged exploitation through VPNs.<\/li>\n<li class=\"ai-optimize-14\">Akira ransomware utilizes various tools and techniques, including the use of distinct tools during operation and the encryption mechanisms used to generate and safeguard encryption keys.<\/li>\n<\/ul>\n<h2 class=\"ai-optimize-15\"><span>Disrupting the Technology Sector\u00a0<\/span><\/h2>\n<p class=\"ai-optimize-16\">With the recent targeting of yet another American technology startup in a cyberattack last week, our cybersecurity analysts are now considering a crucial question: Could nation-state-sponsored groups potentially be utilizing the Akira ransomware to disrupt the supply chain?<\/p>\n<p class=\"ai-optimize-17\">Newcomer malware, Akira ransomware, continues to impact mid-market entities in the utility, construction, manufacturing, education, and transportation sectors, not just in the U.S. but also in countries like Sweden, Australia, Argentina, Japan, and others.<\/p>\n<p class=\"ai-optimize-18\">The threat actors behind these attacks have been increasingly targeting smaller tech companies and software makers of IT solutions aimed at educators, office administrators, consultants, entrepreneurs, and even hobbyists.<\/p>\n<p class=\"ai-optimize-19\">Akira ransomware attack victims in the IT sector include Cequint, Wilcom, GC&amp;E, WTI Western Telematic, Computer Information Concepts, and Optimum Technology.<\/p>\n<p class=\"ai-optimize-20\">The recent Akira ransomware incident examined by the <a href=\"https:\/\/www.n-able.com\/products\/adlumin\/mdr\">Adlumin Managed Detection and Response (MDR)<\/a> analysts also targeted a firm within the IT industry. The malicious actors employed typical tactics, techniques, and procedures (TTPs) like brute force attacks, lateral movement, and credential theft. Nevertheless, indications suggest the potential involvement of a significantly larger entity in these breaches. This assumption stems from the historical behavior of advanced persistent threats (APTs), which often disrupt the supply chain by targeting small enterprises.<\/p>\n<h2 class=\"ai-optimize-21\"><span>Vectors and Exploitation\u00a0<\/span><\/h2>\n<p class=\"ai-optimize-22\">Akira ransomware made its debut in the malware landscape in March 2023. Since then, threat actors have been using methods like phishing campaigns, exploiting vulnerabilities in remote monitoring and management software (RMM), remote desktop protocol (RDP), and tools like RustDesk for remote access. There have also been recent news reports about threat actors using vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products as additional ways of carrying out attacks.<\/p>\n<p class=\"ai-optimize-23\">Adlumin MDR analysts theorize that threat actors behind last week\u2019s attack infiltrated the victim\u2019s network through their VPN due to the numerous VPN events detected by the Adlumin Security Operations Platform in the initial stages of the attack.<\/p>\n<p class=\"ai-optimize-24\">Analysts also found that numerous IP addresses used by the threat actors in the attack were registered to Alibaba Cloud, a subsidiary of the Chinese conglomerate Alibaba Group. Researchers at RSA have previously found that<span>\u00a0<\/span><a href=\"https:\/\/www.helpnetsecurity.com\/2015\/08\/04\/chinese-apts-use-commercial-vpn-to-hide-their-attack-activity\/#:~:text=A%20number%20of%20APT%20actors,the%20Great%20Firewall%20of%20China.\" target=\"_blank\" rel=\"noopener\">Chinese APTs<\/a><span>\u00a0<\/span>frequently use VPNs and VPN tunneling as a tactic for exploitation and to hide their tracks and exfiltrate data. Furthermore, upon review of network data logs, numerous destination ports during the attack were to servers in China. However, other destinations included servers in Singapore, Paris, Russia, and even cities within the U.S., such as Los Angeles.<\/p>\n<h2 class=\"ai-optimize-25\"><span>Lateral Movement\u00a0<\/span><\/h2>\n<p class=\"ai-optimize-26\">Once in the networks, the malicious actors initiated lateral movement \u2014 compromising hosts running Windows Servers 2012, 2016, and 2019.<\/p>\n<p class=\"ai-optimize-27\">Akira ransomware distinguishes itself by its ability to exploit vulnerabilities in Linux systems, marking a departure from conventional ransomware. Research indicates that attacks on Linux machines surged by<span>\u00a0<\/span><a href=\"https:\/\/www.cynet.com\/ransomware\/linux-ransomware-attack-anatomy-examples-and-protection\/\" target=\"_blank\" rel=\"noopener\">75 percent<\/a><span>\u00a0<\/span>in 2022.<\/p>\n<p class=\"ai-optimize-28\">Notably, two endpoints running Ubuntu Bionic Beaver 18.04.6 LTS and Ubuntu 18.04.03 LTS were indeed targets of the attack.<\/p>\n<p class=\"ai-optimize-29\">Data Deletion and Exfiltration<\/p>\n<p class=\"ai-optimize-30\">Threat actors escalated tactics using PowerShell commands to delete shadow copies with \u201cGet-WmiObject Win32_Shadowcopy | Remove-WmiObject.\u201d<\/p>\n<p class=\"ai-optimize-31\">Threat actors then moved to file encryption. MDR analysts identified encrypted files marked with the \u201c.akira\u201d extension, such as \u201cfoo.doc.akira.\u201d Additionally, an accompanying ransom note named \u201cakira_readme.txt\u201d was discovered.<\/p>\n<p class=\"ai-optimize-32\">Adlumin MDR analysts suggested that the data theft might have occurred using DNS, a method commonly employed by APTs to minimize detection. This technique involves breaking down the stolen data into smaller encrypted chunks, which are then sent to external servers using UDP instead of TCP. The exact amount of data taken in the attack is still unknown, and the investigation is ongoing.<\/p>\n<h2 class=\"ai-optimize-33\"><span>Akira Ransomware Analysis\u00a0<\/span><\/h2>\n<p class=\"ai-optimize-34\">The following is an analysis of the Akira Ransomware from the <a href=\"https:\/\/www.n-able.com\/products\/adlumin\/threat-intelligence\">Adlumin Threat Research Team<\/a> with supportive information from other sources (listed at the end of this section).<\/p>\n<p class=\"ai-optimize-35\">Attack Process: The incursion initiates when an instance of the Akira ransomware is activated. Upon execution, the ransomware eliminates Windows shadow volume copies on the targeted device. Subsequently, the ransomware encrypts specific file types with predetermined extensions. It modifies each encrypted file\u2019s name by adding the \u2018.akira\u2019 extension during this encryption procedure.<\/p>\n<p class=\"ai-optimize-36\">During encryption, the ransomware halts active Windows services using the Windows Restart Manager API to ensure an uninterrupted encryption process. It focuses on encrypting files within various hard drive directories, excluding certain folders like program data, recycle bin, boot, system volume information, and Windows folders.<\/p>\n<p class=\"ai-optimize-37\">Notably, Windows system files with extensions such as .sys, .msi, .dll, .lnk, and .exe remain untouched to maintain system stability. In most infiltration cases, unauthorized parties exploit compromised credentials to gain initial entry to the victim\u2019s environment.<\/p>\n<p class=\"ai-optimize-38\">It is noteworthy that a significant number of victim organizations did not enable multi-factor authentication (MFA) for their VPNs. The source of the compromised credentials is uncertain, but it is plausible that threat actors acquired access or credentials from illicit sources on the dark web.<\/p>\n<p class=\"ai-optimize-39\">Toolset: Upon obtaining initial access, the Akira ransomware employs a distinct variety of tools, including PCHunter, Advanced IP Scanner, AdFind, SharpHound, MASSCAN, Mimikatz, LaZagne, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, WinRar, WinSCP, Rclone, FileZilla, and PsExec.<\/p>\n<p class=\"ai-optimize-40\">During operation, the ransomware generates a symmetric encryption key using the CryptGenRandom() function, a Windows CryptoAPI random number generator. The symmetric key undergoes further encryption using the RSA-4096 cipher and is appended to the end of the encrypted file. The specific public key used is hardcoded within the ransomware\u2019s binary code and varies across different instances.<\/p>\n<h2 class=\"ai-optimize-41\"><strong>Malware Analysis Supportive Sources<\/strong>:<\/h2>\n<ul>\n<li class=\"ai-optimize-42\"><a href=\"https:\/\/www.blusapphire.com\/blog\/an-in-depth-analysis-of-akira-ransomware-attacks\" target=\"_blank\" rel=\"noopener\">https:\/\/www.blusapphire.com\/blog\/an-in-depth-analysis-of-akira-ransomware-attacks<\/a><\/li>\n<li class=\"ai-optimize-43\"><a href=\"https:\/\/decoded.avast.io\/threatresearch\/decrypted-akira-ransomware\/\" target=\"_blank\" rel=\"noopener\">https:\/\/decoded.avast.io\/threatresearch\/decrypted-akira-ransomware\/<\/a><\/li>\n<li class=\"ai-optimize-44\"><a href=\"https:\/\/www.sentinelone.com\/anthology\/akira\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.sentinelone.com\/anthology\/akira\/\u00a0<\/a><\/li>\n<\/ul>\n<h2 class=\"ai-optimize-45\"><span>Conclusion\u00a0<\/span><\/h2>\n<p class=\"ai-optimize-46\">There could be many reasons why APTs may be going after smaller, lesser well-known IT companies. Among these is the prospect of acquiring intellectual property, particularly considering that these startups may be developing new technology that holds significant value in the dark web.<\/p>\n<p class=\"ai-optimize-47\">Perhaps threat actors are looking for information on how these companies are funded, including names of investors who could potentially become targets of future spear and whale phishing campaigns.<\/p>\n<p class=\"ai-optimize-48\">Whatever the case may be, adversaries are finding that these IT firms have weaker network security than tech giants and thus become easy targets for their aggressive attacks.<\/p>\n<h2 class=\"ai-optimize-49\"><span>Akira Ransomware Indicators of Compromise (IOCs)\u00a0<\/span><\/h2>\n<h3 class=\"ai-optimize-50\"><strong>Hashes<\/strong><\/h3>\n<ul>\n<li class=\"ai-optimize-51\">431d61e95586c03461552d134ca54d16<\/li>\n<li class=\"ai-optimize-52\">af95fbcf9da33352655f3c2bab3397e2<\/li>\n<li class=\"ai-optimize-53\">c7ae7f5becb7cf94aa107ddc1caf4b03<\/li>\n<li class=\"ai-optimize-54\">d25890a2e967a17ff3dad8a70bfdd832<\/li>\n<li class=\"ai-optimize-55\">e44eb48c7f72ffac5af3c7a37bf80587<\/li>\n<li class=\"ai-optimize-56\">302f76897e4e5c8c98a52a38c4c98443<\/li>\n<li class=\"ai-optimize-57\">9180ea8ba0cdfe0a769089977ed8396a68761b40<\/li>\n<li class=\"ai-optimize-58\">1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296<\/li>\n<\/ul>\n<\/div>\n<\/section>\n<div class=\"avia-image-container av-styling- avia-builder-el-2 el_after_av_textblock avia-builder-el-last avia-align-center\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Stay protected from Akira ransomware\u2014discover key Indicators of Compromise (IOCs), including hashes, to help detect and prevent this evolving cyber threat.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-70307","post","type-post","status-publish","format-standard","hentry","topic-cyber-resilience","topic-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Akira Ransomware Threat Actor Playbook: Attack Analysis &amp; IOCs<\/title>\n<meta name=\"description\" content=\"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Akira Ransomware Threat Actor Playbook: Attack Analysis &amp; IOCs\" \/>\n<meta property=\"og:description\" content=\"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\" \/>\n<meta property=\"og:site_name\" content=\"N-able\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NableMSP\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-07T16:20:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-30T10:00:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_AkiraRansomware.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"N-able\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Nable\" \/>\n<meta name=\"twitter:site\" content=\"@Nable\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"N-able\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\"},\"author\":{\"name\":\"N-able\",\"@id\":\"https:\/\/www.n-able.com\/it\/#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\"},\"headline\":\"A Threat Actor&#8217;s Playbook: Behind the Scenes of Akira Ransomware\",\"datePublished\":\"2023-09-07T17:20:18+01:00\",\"dateModified\":\"2026-03-30T10:00:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\"},\"wordCount\":1356,\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/it\/#organization\"},\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\",\"url\":\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\",\"name\":\"Akira Ransomware Threat Actor Playbook: Attack Analysis & IOCs\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/it\/#website\"},\"datePublished\":\"2023-09-07T17:20:18+01:00\",\"dateModified\":\"2026-03-30T10:00:31+00:00\",\"description\":\"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.\",\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.n-able.com\/it\/#website\",\"url\":\"https:\/\/www.n-able.com\/it\/\",\"name\":\"N-able\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/it\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.n-able.com\/it\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.n-able.com\/it\/#organization\",\"name\":\"N-able\",\"url\":\"https:\/\/www.n-able.com\/it\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.n-able.com\/it\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"contentUrl\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"N-able\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/it\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NableMSP\",\"https:\/\/x.com\/Nable\",\"https:\/\/www.linkedin.com\/company\/n-able\",\"https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.n-able.com\/it\/#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\",\"name\":\"N-able\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"caption\":\"N-able\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Akira Ransomware Threat Actor Playbook: Attack Analysis & IOCs","description":"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","og_locale":"it_IT","og_type":"article","og_title":"Akira Ransomware Threat Actor Playbook: Attack Analysis & IOCs","og_description":"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.","og_url":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","og_site_name":"N-able","article_publisher":"https:\/\/www.facebook.com\/NableMSP","article_published_time":"2023-09-07T16:20:18+00:00","article_modified_time":"2026-03-30T10:00:31+00:00","og_image":[{"width":1600,"height":900,"url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_AkiraRansomware.png","type":"image\/png"}],"author":"N-able","twitter_card":"summary_large_image","twitter_creator":"@Nable","twitter_site":"@Nable","twitter_misc":{"Scritto da":"N-able","Tempo di lettura stimato":"6 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware#article","isPartOf":{"@id":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware"},"author":{"name":"N-able","@id":"https:\/\/www.n-able.com\/it\/#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b"},"headline":"A Threat Actor&#8217;s Playbook: Behind the Scenes of Akira Ransomware","datePublished":"2023-09-07T17:20:18+01:00","dateModified":"2026-03-30T10:00:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware"},"wordCount":1356,"publisher":{"@id":"https:\/\/www.n-able.com\/it\/#organization"},"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","url":"https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware","name":"Akira Ransomware Threat Actor Playbook: Attack Analysis & IOCs","isPartOf":{"@id":"https:\/\/www.n-able.com\/it\/#website"},"datePublished":"2023-09-07T17:20:18+01:00","dateModified":"2026-03-30T10:00:31+00:00","description":"Learn how Akira ransomware operates, including key Indicators of Compromise (IOCs), hashes, and attacker tactics to help detect and reduce risk.","inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.n-able.com\/it\/blog\/a-threat-actors-playbook-behind-the-scenes-of-akira-ransomware"]}]},{"@type":"WebSite","@id":"https:\/\/www.n-able.com\/it\/#website","url":"https:\/\/www.n-able.com\/it\/","name":"N-able","description":"","publisher":{"@id":"https:\/\/www.n-able.com\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.n-able.com\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/www.n-able.com\/it\/#organization","name":"N-able","url":"https:\/\/www.n-able.com\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.n-able.com\/it\/#\/schema\/logo\/image\/","url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","contentUrl":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","width":"1024","height":"1024","caption":"N-able"},"image":{"@id":"https:\/\/www.n-able.com\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NableMSP","https:\/\/x.com\/Nable","https:\/\/www.linkedin.com\/company\/n-able","https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw"]},{"@type":"Person","@id":"https:\/\/www.n-able.com\/it\/#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b","name":"N-able","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","caption":"N-able"}}]}},"_links":{"self":[{"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/posts\/70307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/comments?post=70307"}],"version-history":[{"count":0,"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/posts\/70307\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.n-able.com\/it\/wp-json\/wp\/v2\/media?parent=70307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}