Akira Ransomware Update: A 7-Day Plan to Shut On-Ramps and Prove Resilience

November 18, 2025
 |  No Comments
Abstract ransomware response dashboard with shield-and-wrench, highlighting remote access, backups, and hypervisor checks.

IT Trends Weekly — a curated, citation-first roundup for busy IT leaders.

Ransomware Focus: What the Updated Akira Advisory Changes — and How to Respond in 7 Days

Context. On Nov 13, U.S. and international partners updated their joint #StopRansomware advisory on Akira ransomware, adding new activity, TTPs, and indicators — and warning of an imminent threat to critical infrastructure. The update consolidates what incident responders have seen across sectors: opportunistic initial access (often via exposed services or known-exploited vulnerabilities), rapid lateral movement with legitimate remote tools, backup targeting, and double-extortion. If you operate VPNs, edge devices, hypervisors, or backup servers, this week is about closing the predictable on-ramps and proving exposure is shut. # :contentReference[oaicite:0]{index=0}

Browse prior issues on the IT Trends Weekly hub or subscribe for a weekly checklist you can hand to ops.

Table of contents

What changed in the Akira advisory

Update scope. CISA, the FBI and international partners refreshed the joint advisory (AA24-109A) to reflect new Akira activity, TTPs and IOCs — explicitly framing the campaign as an imminent threat to critical infrastructure and adding prescriptive mitigations. The PDF and web versions label all “Update Nov. 13, 2025” sections so defenders can diff quickly against prior guidance. # :contentReference[oaicite:1]{index=1}

Key patterns reiterated. The advisory and industry summaries emphasize well-known on-ramps: abusing exposed remote access (VPNs, RDP), leveraging known-exploited vulns in edge devices or backup platforms, deploying legitimate remote-admin tools for stealthy lateral movement (e.g., AnyDesk/LogMeIn), and performing double extortion (encryption + data-leak threats). That mix aligns with what responders reported all year. # :contentReference[oaicite:2]{index=2}

Virtualization remains a high-value target. Akira has expanded beyond VMware ESXi/Hyper-V to target AHV/Nutanix VM disks in some intrusions, underscoring the need to harden hypervisors and isolate management planes — especially where backup servers sit one jump away. # :contentReference[oaicite:3]{index=3}

Why it matters (beyond “have good backups”)

  • KEV-driven urgency. Akira operators consistently chain Known Exploited Vulnerabilities to get in; when CISA adds something to KEV, your clock starts. Run your patch SLOs to KEV dates, not quarterly windows.
  • Backups ≠ resilience if they’re reachable. Many Akira cases involve backup discovery and destruction. Resilience depends on offline/immutable copies and segmented management, not just job success rates.
  • Legitimate tools complicate detection. AnyDesk/LogMeIn/Splashtop and built-in tools (PowerShell, WMI) blend with admin activity. Controls must be behavioral (e.g., new remote tool installs + unusual logon paths + backup job deletions), not just “ban bad EXE.”

First 48 hours: a focused action plan

  • 1) Close the front doors you control today. Inventory and disable unused remote access (RDP/VPN accounts), rotate VPN creds and revoke stale tokens, and enforce MFA for all remote paths. Confirm no vendor tunnels are left “always-on.” Document what changed.
  • 2) Patch known-exploited edges. Prioritize devices on KEV or with active exploitation reports (e.g., Fortinet FortiWeb CVE-2025-64446 path traversal currently under attack). If immediate patch isn’t possible, pull interfaces off the Internet or gate with a reverse proxy/allowlists while you stage maintenance. # :contentReference[oaicite:4]{index=4}
  • 3) Lock backup infrastructure. Require MFA + Just-In-Time access for backup consoles; block management from workstation VLANs; disable remote command exec from backup to hypervisors unless needed; verify immutability/object-lock on critical jobs; export a fresh offline copy of backup config.
  • 4) Hunt for “living-off-the-land” patterns. Search for new installations of AnyDesk/LogMeIn/Splashtop, anomalous RDP from unmanaged IPs, backup deletions/disablement, new local admins, and mass file-rename bursts after off-hours logons. Use EDR behavioral rules where available. # :contentReference[oaicite:5]{index=5}
  • 5) Harden hypervisors/VM storage. Isolate ESXi/Hyper-V/AHV management on dedicated subnets with MFA and no Internet exposure; limit snapshot/delete permissions; ensure backups target off-cluster storage that ransomware can’t reach. # :contentReference[oaicite:6]{index=6}
  • 6) Stage response playbooks. Pre-approve takedown steps for suspicious remote tools, scripted account disables, and DNS sinkholes for leak-site indicators. Align legal/comms so extortion handling isn’t improvised under pressure. # :contentReference[oaicite:7]{index=7}

Operational realities (what breaks, what doesn’t)

  • MFA exceptions are your soft spots. Executive and service-account carve-outs remain common. Replace them with phishing-resistant methods (FIDO2/Passkeys) or time-bound break-glass codes with audit trails. # :contentReference[oaicite:8]{index=8}
  • Vendor remote access needs adult supervision. Time-box sessions, require ticket numbers, and log video/keystrokes where policy allows. Kill “always-on” jump clients used only “just in case.” # :contentReference[oaicite:9]{index=9}
  • Backups are fragile by default. Don’t assume immutability: verify object-lock/policy on critical jobs and test a restore to an isolated environment weekly. If your backup server can delete its own repositories without secondary auth, treat that as an incident waiting to happen. # :contentReference[oaicite:10]{index=10}
  • Logging can be tampered with. Recent campaigns include disabling or evading logs. Mirror critical logs to a location the attacker can’t reach (cloud SIEM or write-once storage). # :contentReference[oaicite:11]{index=11}

Evidence leaders want this week

  • Exposure proof: A one-page before/after of Internet-exposed services (RDP/VPN, vendor portals) and edge devices patched or gated.
  • Backup resilience: % of critical jobs with immutability/object-lock; successful isolated restore test date; MFA on backup consoles.
  • Remote-tool hygiene: Count of unmanaged remote-access tools discovered and removed; EDR rule status for new installs/process spawning.
  • Hypervisor safeguards: Network diagrams showing management-plane isolation; least-privilege roles; snapshot/delete guardrails.
  • KEV alignment: For any KEV tied to ransomware intrusion paths this week, show whether your SLO met or beat CISA’s dates. # :contentReference[oaicite:12]{index=12}

7-day follow-through

  • Days 1–2: Shut unneeded remote access; rotate VPN creds; enforce MFA everywhere; snapshot current external attack surface. # :contentReference[oaicite:13]{index=13}
  • Day 3: Patch/gate edge devices with active exploitation (e.g., FortiWeb CVE-2025-64446); remove public admin surfaces; document compensating controls if patch deferred. # :contentReference[oaicite:14]{index=14}
  • Day 4: Lock backup consoles (MFA/JIT); export offline configs; turn on immutability for Tier-0 data; test an isolated restore.
  • Day 5: Hypervisor review (ESXi/Hyper-V/AHV): management isolation, role pruning, disable shell/SSH where not required; validate that backup accounts can’t delete repositories without secondary auth. # :contentReference[oaicite:15]{index=15}
  • Day 6: Threat hunt for living-off-the-land: new remote-tool installs, odd RDP ingress, backup tampering, mass rename events, data staging. # :contentReference[oaicite:16]{index=16}
  • Day 7: Retro with leadership: show exposure proof, backup resilience metrics, KEV compliance, and 1–2 process changes to make next month faster (e.g., pre-approved emergency windows; golden images for backup/hypervisor mgmt hosts).

AI trend (blurb)

Gemini 3 hits — raising the bar for enterprise evals. After a week of mounting signals, Google formally launched Gemini 3 today, touting multimodal and “thought-partner” updates in Search and the Gemini apps. For IT leaders, the implication isn’t just features; it’s governance: refresh evaluation gates (safety, accuracy, and data-handling) before expanding employee access, and monitor traffic shifts from classic search to AI-generated answers that can change referral and support patterns. # :contentReference[oaicite:17]{index=17}

FAQ

CTA: Stay ahead each week

Subscribe to IT Trends Weekly for one concise, citation-first brief each week (with a copy-paste checklist).

imperialvalleyinfotech.com/it-trends-weekly/#subscribe

Sources & citations

  1. CISA — #StopRansomware: Akira Ransomware (updated Nov 13, 2025). :contentReference[oaicite:18]{index=18}
  2. IC3 (PDF mirror of the update) — AA24-109A PDF. :contentReference[oaicite:19]{index=19}
  3. AHA summary — Joint advisory update details & “imminent threat” language. :contentReference[oaicite:20]{index=20}
  4. Cybersecurity Dive — Akira targeting critical sectors; double extortion & remote tool abuse. :contentReference[oaicite:21]{index=21}
  5. TechTarget (health sector lens) — “Imminent threat to critical infrastructure”. :contentReference[oaicite:22]{index=22}
  6. Nutanix/AHV targeting context — Akira targeting AHV VM disks. :contentReference[oaicite:23]{index=23}
  7. FortiWeb under active exploit — CVE-2025-64446 exploitation + timeline; qualys write-up; Fortinet PSIRT. :contentReference[oaicite:24]{index=24}
  8. AI blurb — Gemini 3 launch coverage: AP News; VentureBeat. :contentReference[oaicite:25]{index=25}
IT Trends Weekly