Akira Ransomware Surges in 2025, Targets Manufacturers and Exploits SonicWall Flaws
In 2025, the Akira ransomware group has emerged as a dominant cyber threat, claiming responsibility for 683 attacks between January and November—more than double its 2024 total of 272. While trailing behind Qilin (864 attacks in the same period), Akira’s activity has seen two major spikes: a surge in early 2025 (225 attacks in Q1) followed by a resurgence in recent months, driven by the exploitation of SonicWall SSL VPN vulnerabilities (CVE-2024-40766).
On November 13, 2025, the FBI, CISA, DC3, and HHS issued a renewed joint advisory, warning of Akira’s imminent threat to critical infrastructure. The group has reportedly extorted $244.17 million in ransom payments as of September 2025.
Targets and Trends
Akira, which first appeared in March 2023 and is linked to the defunct Conti group, has shifted its focus over time. While small- to medium-sized businesses remain its primary targets, the education sector has seen a sharp decline—from 15 attacks in 2023 to none in 2025. Meanwhile, manufacturers have become Akira’s top target, accounting for 27% of its 2025 business attacks (182 incidents, 18 confirmed).
Sector Breakdown (2025, Jan–Nov)
- Businesses (666 attacks, 68 confirmed)
- Manufacturers: 182 (18 confirmed)
- Service-based: 124 (6 confirmed)
- Retailers: 62 (7 confirmed)
- Construction: 53 (2 confirmed)
- Finance: 49 (7 confirmed)
- Legal: 47 (4 confirmed)
- Healthcare providers: 5 attacks (none confirmed)
- Government entities: 3 attacks (1 confirmed)
- Education: 0 attacks
Confirmed attacks in 2025 have breached 104,608 records and stolen 32 TB of data (5.9 TB in confirmed incidents).
Geographic Focus
The U.S. remains Akira’s most targeted country (455 attacks, 45 confirmed), followed by Germany (26), Canada (26), Italy (21), and Spain (17). Notable increases include Spain (750% growth from 2024), Switzerland (350%), and Italy (200%).
Ransom Demands and High-Profile Attacks
Akira’s ransom demands vary, with confirmed cases including:
- $1.4M (paid) – Shook Lin & Bok (Singapore, April 2024)
- $1.2M (refused) – Toronto Zoo (Canada, January 2024)
- $1M (paid) – Hangzhou Great Star Industrial (China, August 2023)
- $750K (alleged) – Usina Alta Mogiana (Brazil, June 2024)
- $200K (paid) – Bugnard SA (Switzerland, September 2025)
Historical Context (2023–2025)
Since its emergence, Akira has claimed 1,126 attacks, with 202 confirmed and 1,087,428 records breached. While attacks on government (14 total) and healthcare (9 total) have remained low, business targets have surged—particularly in manufacturing, legal, and construction sectors.
The group’s shift away from education and toward higher-value industries suggests a strategic pivot toward more lucrative or vulnerable targets. With a month left in 2025, Akira’s trajectory underscores its growing threat to global cybersecurity.
Source: https://www.comparitech.com/news/akira-ransomware-stats-on-attacks-ransoms-data-breaches/
TPRM report: https://www.rankiteo.com/company/nissan-otomotiv-tr
"id": "nis1765455541",
"linkid": "nissan-otomotiv-tr",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '145,844',
'industry': 'K-12 Education',
'location': 'US',
'name': 'Edmonds School District',
'size': 'Large',
'type': 'Education'},
{'customers_affected': '93,512',
'industry': 'Higher Education',
'location': 'US',
'name': 'Mercer University',
'size': 'Large',
'type': 'Education'},
{'industry': 'Higher Education',
'location': 'Iceland',
'name': 'Reykjavík University',
'size': 'Medium',
'type': 'Education'},
{'industry': 'K-12 Education',
'location': 'US',
'name': 'Van Buren Public Schools',
'size': 'Medium',
'type': 'Education'},
{'industry': 'K-12 Education',
'location': 'US',
'name': 'Louisiana Special School District',
'size': 'Medium',
'type': 'Education'},
{'customers_affected': '8,839',
'industry': 'Local Government',
'location': 'US',
'name': 'City of Nassau Bay',
'size': 'Small',
'type': 'Government'},
{'industry': 'Public Services',
'location': 'US',
'name': 'Laramie County Library System',
'size': 'Small',
'type': 'Government'},
{'industry': 'Hospital',
'location': 'Canada',
'name': 'Michael Garron Hospital',
'size': 'Large',
'type': 'Healthcare'},
{'customers_affected': '26,534',
'industry': 'Medical Services',
'location': 'US',
'name': 'siParadigm LLC',
'size': 'Medium',
'type': 'Healthcare'},
{'customers_affected': '100,000',
'industry': 'Manufacturing',
'location': 'Australia',
'name': 'Nissan Australia',
'size': 'Large',
'type': 'Business'},
{'industry': 'Legal',
'location': 'Singapore',
'name': 'Shook Lin & Bok',
'size': 'Large',
'type': 'Business'},
{'industry': 'Entertainment/Recreation',
'location': 'Canada',
'name': 'Toronto Zoo',
'size': 'Large',
'type': 'Business'},
{'industry': 'Manufacturing',
'location': 'China',
'name': 'Hangzhou Great Star Industrial Co., Ltd',
'size': 'Large',
'type': 'Business'},
{'industry': 'Food & Beverage',
'location': 'Brazil',
'name': 'Usina Alta Mogiana S/A',
'size': 'Large',
'type': 'Business'},
{'industry': 'Manufacturing',
'location': 'Switzerland',
'name': 'Bugnard SA',
'size': 'Medium',
'type': 'Business'},
{'customers_affected': '2,000',
'industry': 'Media',
'location': 'US',
'name': 'Black Press Hawaii (Star-Advertiser, Oahu '
'Publications, Inc. et al)',
'size': 'Large',
'type': 'Business'}],
'attack_vector': 'Exploitation of SonicWall SSL VPN vulnerabilities '
'(CVE-2024-40766)',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (32 TB stolen across all attacks)',
'number_of_records_exposed': '1,087,428 (across all confirmed '
'attacks)',
'personally_identifiable_information': 'Yes (e.g., names, '
'addresses, medical '
'records)',
'sensitivity_of_data': 'High (PII, financial data, corporate '
'secrets)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Corporate Data',
'Customer Data']},
'date_publicly_disclosed': '2025-11-13',
'description': 'From January to November 2025, Akira claimed responsibility '
'for 683 ransomware attacks, making it the second most '
'dominant strain this year behind Qilin (864 attacks during '
"the same period). Akira's activity spiked in Q1 2025 (225 "
'attacks) and again in recent months, driven by exploitation '
'of SonicWall SSL VPN vulnerabilities (CVE-2024-40766). The '
'group has targeted small- to medium-sized businesses across '
'various industries, with a notable shift from education to '
'manufacturing. The FBI, CISA, DC3, and HHS issued a joint '
'advisory on November 13, 2025, citing Akira as an imminent '
'threat to critical infrastructure.',
'impact': {'brand_reputation_impact': 'High (e.g., data breaches, dark web '
'leaks)',
'data_compromised': '104,608 records breached in confirmed '
'attacks; 32 TB of data stolen across all '
'attacks (5.9 TB in confirmed attacks)',
'financial_loss': '$244.17 million (USD) in ransomware proceeds '
'(up to September 2025)',
'identity_theft_risk': 'High (PII exposed in breaches)',
'operational_impact': 'Significant disruptions, especially in '
'manufacturing and government sectors',
'systems_affected': 'Widespread system encryption and disruption'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (e.g., customer data, '
'PII)',
'entry_point': 'SonicWall SSL VPN vulnerabilities '
'(CVE-2024-40766)',
'high_value_targets': 'Manufacturers, legal firms, '
'healthcare businesses'},
'investigation_status': 'Ongoing',
'lessons_learned': "Akira's shift in targeting from education to "
'manufacturing highlights the evolving ransomware threat '
'landscape. The exploitation of known vulnerabilities '
'(e.g., CVE-2024-40766) underscores the importance of '
'patch management and proactive security measures. The '
"group's connection to Conti suggests a legacy of "
'sophisticated cybercrime operations.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Patch management '
'prioritization',
'Network segmentation '
'implementation',
'Enhanced monitoring and '
'threat detection'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities (e.g., '
'CVE-2024-40766)',
'Lack of network segmentation',
'Insufficient monitoring for '
'lateral movement']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': ['$2 million (Shook Lin & Bok)',
'$1.4 million (paid)',
'$1.2 million (Toronto Zoo)',
'$1 million (Hangzhou Great Star '
'Industrial Co., Ltd)',
'$750,000 (Usina Alta Mogiana S/A)',
'$450,000 (Bugnard SA, initial demand)',
'$200,000 (paid)',
'$150,000 (Black Press Hawaii)'],
'ransom_paid': ['$1.4 million (Shook Lin & Bok)',
'$1 million (Hangzhou Great Star Industrial '
'Co., Ltd)',
'$200,000 (Bugnard SA)',
'$150,000 (Black Press Hawaii)'],
'ransomware_strain': 'Akira'},
'recommendations': ['Patch known vulnerabilities (e.g., SonicWall SSL VPN) '
'immediately.',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance monitoring for unusual activity, especially in '
'critical infrastructure sectors.',
'Develop and test incident response plans for ransomware '
'attacks.',
'Educate employees on phishing and social engineering '
'tactics.',
'Consider third-party assistance for threat intelligence '
'and response.'],
'references': [{'date_accessed': '2025-11-13',
'source': 'FBI, CISA, DC3, HHS Joint Advisory'},
{'source': 'Akira Ransomware Data Leak Site'},
{'source': 'Compliance Week (Ransomware Tracker)',
'url': 'https://www.complianceweek.com/ransomware-tracker'}],
'regulatory_compliance': {'regulations_violated': ['Data breach disclosure '
'laws (e.g., US state '
'laws)'],
'regulatory_notifications': 'Yes (e.g., US state '
'breach notifications)'},
'response': {'law_enforcement_notified': 'Yes (FBI, CISA, DC3, HHS)'},
'stakeholder_advisories': 'FBI, CISA, DC3, and HHS issued a joint advisory on '
"November 13, 2025, warning of Akira's imminent "
'threat to critical infrastructure.',
'threat_actor': 'Akira',
'title': 'Akira Ransomware Surge (2023-2025)',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2024-40766'}