⚠️ Current Threat: If your organization uses Cisco ASA or FTD VPN appliances, or any remote access solution not updated in the last 90 days, read this article before dismissing it. Akira's primary initial access vector is unpatched VPN appliances, and the group moves quickly once they're inside.

What Is Akira?

Akira is a ransomware-as-a-service (RaaS) group that first appeared in March 2023. Unlike older ransomware groups that broadly scattered attacks, Akira operates with a degree of target selection - preferring organizations that have both the ability to pay a ransom and the operational pressure to pay quickly. Healthcare organizations, with their life-critical systems and regulatory obligations, fit that profile well.

As of early 2026, Akira has claimed responsibility for hundreds of attacks globally, with victims including healthcare providers, professional services firms, educational institutions, and critical infrastructure operators. Canadian organizations have been among the targets.

Akira's name refers to their data leak site, where they publish stolen data from organizations that don't pay the ransom. This double-extortion model - encrypt your systems AND threaten to publish your data - creates particular pressure on healthcare organizations, where data disclosure carries regulatory penalties and reputational consequences beyond the operational disruption of encryption.

How Akira Gets In: The VPN Appliance Problem

Akira's primary initial access vector, consistently documented in threat intelligence reporting from FBI, CISA, and Europol, is unpatched remote access infrastructure - particularly Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN products.

The exploitation pattern is straightforward: Akira operators scan for organizations running vulnerable versions of remote access software, identify the targets, and exploit the vulnerability to gain an initial foothold. From there, they conduct reconnaissance, establish persistence, move laterally to identify high-value targets, exfiltrate data, and then deploy the ransomware payload.

The time between initial access and ransomware deployment has compressed significantly for sophisticated groups - Akira and similar operators have been documented moving from initial access to ransomware deployment in hours rather than days when conditions allow it.

The secondary access vector is credential theft: using exposed RDP, brute-forced credentials on internet-facing services, or credentials obtained through phishing to gain initial access. This is why the combination of exposed RDP + weak passwords or absent MFA is so dangerous.

Why Healthcare Is a Preferred Target

Healthcare organizations present a specific risk profile that ransomware operators have learned to exploit:

Operational criticality: A hospital or clinic that can't access patient records, medication databases, or scheduling systems faces immediate patient safety consequences. The urgency to restore operations is higher than in almost any other sector - which creates pressure to pay quickly rather than rebuild from backups.

Regulatory pressure: The combination of a ransomware attack and potential data disclosure triggers breach notification obligations under Alberta HIA, HIPAA (for organizations with US exposure), and PIPEDA. The regulatory clock starts ticking, which adds institutional pressure on top of operational disruption.

Underinvestment in security: Healthcare organizations, particularly smaller clinics and PCNs, have historically underinvested in cybersecurity relative to their data sensitivity. Security teams are often thin or nonexistent. Patch cycles are slow, particularly for clinical systems where "don't touch what's working" is a common operational philosophy.

Complex vendor environments: Healthcare organizations typically operate a complex mix of clinical software, administrative systems, and medical devices - many of which have limited patch support or run on legacy operating systems. This creates a larger attack surface than most organizations of equivalent size in other sectors.

What Lavawall® Does to Counter Akira

ThreeShield built dedicated Akira detection capabilities into Lavawall® because the group's TTPs (tactics, techniques, and procedures) have become well-documented enough to enable proactive hunting rather than just reactive detection.

IOC detection: Lavawall® maintains a current set of Indicators of Compromise associated with Akira activity - IP addresses, file hashes, domain names, and registry modifications associated with known Akira infrastructure and tooling. When these IOCs appear in monitored environments, Lavawall® alerts immediately.

VPN appliance monitoring: Lavawall® specifically monitors for unpatched remote access infrastructure exposed to the internet, with alerts for known Akira-relevant CVEs including the Cisco ASA vulnerabilities the group routinely exploits. If your Cisco VPN appliance is running a vulnerable firmware version, Lavawall® will flag it.

Lateral movement detection: Akira's post-exploitation behavior - credential dumping, reconnaissance commands, unusual service creation, and abnormal authentication patterns - generates signals that Lavawall® correlates against known Akira behavior patterns.

Behavioral anomaly detection: Even when specific IOCs aren't matched, mass file access patterns consistent with ransomware staging trigger alerts in Lavawall®'s endpoint monitoring. Stopping ransomware in the staging phase - before encryption begins - is the difference between a managed incident and a catastrophic one.

The Three Controls That Matter Most Against Akira

If you're a healthcare organization that isn't yet running Lavawall® or equivalent monitoring, there are three controls that will have the most impact against Akira-style attacks specifically:

1. Patch your VPN appliances immediately. If you run Cisco ASA, Cisco FTD, or any other internet-facing remote access appliance, check the firmware version against current CVEs today. Akira specifically targets these. If you're not sure how to check, that's an urgent conversation to have with your IT provider.

2. Require MFA on all remote access. Credential-based initial access is blocked by MFA. A stolen password combined with MFA enforcement is a failed attack. MFA on VPN, RDP, M365, and all other remote access services is the single highest-return security control against credential-based initial access.

3. Test your backups - not just run them. Akira (and most ransomware groups) specifically target backup systems for deletion before deploying the encryption payload. Backups that aren't immutable, aren't tested, or aren't offline/air-gapped can be destroyed before you can use them. Know that your backups work before you need them.

If You've Detected Suspicious Activity

If you're seeing any of the following, treat it as a potential active incident and contact a security professional immediately:

  • Unexpected account lockouts or password reset activity
  • New administrative accounts you didn't create
  • Unusual remote access or VPN connections - especially from unexpected geographies
  • Antivirus disabled or uninstalled on endpoints
  • Slow system performance across multiple machines simultaneously
  • Backup systems showing errors or missing recent backups

Early detection dramatically improves outcomes. Ransomware that's caught in the lateral movement phase is a containable incident. Ransomware that's been encrypting for hours before detection is a disaster.

ThreeShield provides Akira IOC detection through Lavawall® and incident response support for suspected active compromises. If you're concerned about your organization's exposure, contact us - we can deploy monitoring quickly and advise on immediate risk reduction steps.

Contact ThreeShield Security