Live Latest activity →

Akira - How to Remove

Last updated: 2026-04-21

Incident Response Guide: Akira Ransomware

Incident Triage Steps

Within the first 30 minutes of suspecting an Akira ransomware incident, execute the following steps to assess scope and impact.

1. Immediate System Assessment:

  • Isolate the initially reported workstation or server from the network by disabling its network adapter or unplugging the network cable. Do not shut it down yet, as this destroys volatile evidence.
  • Identify the user account associated with the initial infection. Check for newly created files with the .akira extension or a ransom note named akira_readme.txt. Akira typically drops this note in every affected directory.
  • Check the system’s running processes via a trusted command-line tool for suspicious executables. Common Akira payload names observed include service.exe, update.exe, or strings containing akira. Look for processes with high CPU or disk I/O indicative of active encryption.

2. Scope Identification:

  • Immediately query your EDR solution or SIEM platform for alerts related to:
    • Mass file renames to the .akira extension.
    • Execution of vssadmin.exe delete shadows /all /quiet or wbadmin.exe delete catalog - commands Akira uses to delete Volume Shadow Copies.
    • Network connections to known Akira C2 servers (often on ports 443 or 8443). Check for outbound connections to IPs associated with recent Akira campaigns.
  • Review firewall and proxy logs for connections to suspicious TOR nodes or domains, as Akira uses TOR-based payment sites.
  • Determine if the attack is spreading via Active Directory. Check for anomalous logins from the initially infected host to other systems, especially using tools like PsExec or WMI.

3. Data Exfiltration Assessment: Akira operators frequently exfiltrate data prior to encryption. Look for evidence of:

  • Large, unexpected outbound data transfers (hundreds of GBs) in the 24-72 hours before encryption began. Check data transfer logs from your email gateways, cloud storage sync services, and FTP servers.
  • Execution of archiving tools (like 7zG.exe, WinRAR.exe) or data staging utilities from unusual locations.
  • Connections to known file-sharing or cloud storage domains not typically used by your business. Correlate this activity with the infected host.

Evidence Collection

Before initiating containment or remediation, collect the following evidence to support forensic analysis and potential legal action.

Volatile Data (From Live Systems):

  • Memory Dump: Acquire a full memory dump (e.g., using a trusted memory forensic tool) from at least one infected, live system. This can reveal encryption keys, process artifacts, and network connections.
  • Process List & Network Connections: Run commands like tasklist /v, netstat -anob, and wmic process list full from a trusted utility, redirecting output to an external USB drive.
  • Precise Timelines: Record the exact time of the first encrypted file creation, ransom note appearance, and any suspicious process execution.

Akira-Specific Artifacts:

  • Ransom Note: Preserve the akira_readme.txt file. Note its location and content.
  • Encrypted Files: Preserve several encrypted files (with their .akira extension) and their unencrypted counterparts from backups if possible, for decryption analysis.
  • Registry: Export registry hives, particularly focusing on:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce for persistence.
    • HKLM\SYSTEM\CurrentControlSet\Services for suspicious service installations.
  • File System: Collect:
    • Prefetch files (C:\Windows\Prefetch\) for execution history.
    • Scheduled Tasks (from C:\Windows\System32\Tasks).
    • The malicious binary itself, often found in %TEMP%, %APPDATA%, or C:\Windows\.
  • Logs: Export relevant logs: Windows Event Logs (Security, System, Application), firewall logs, and EDR/SIEM event streams for the affected hosts covering at least 7 days prior to the incident.

Containment Procedures

Contain the outbreak to prevent further encryption and C2 communication.

1. Network Segmentation:

  • Immediately segment the network. Place all identified infected hosts and any potentially compromised systems into an isolated VLAN with no internet or internal network access.
  • Block all outbound traffic from the affected segment to the internet at the firewall, especially on ports 443, 8443, and common TOR ports (9001+). This hinders C2 communication and data exfiltration.
  • Disable all inter-VLAN routing for the isolated segment.

2. Credential Security:

  • Scope: Reset passwords for all domain and local administrator accounts. Prioritize accounts that were active on infected hosts or showed anomalous logins during the initial triage phase.
  • Process: Use a clean, trusted system to reset passwords. Consider disabling Kerberos tickets (krbtgt) and implementing a two-phase password reset for domain admin accounts if AD compromise is suspected.
  • Lateral Movement: Disable all service accounts used for scheduled tasks or application pools on affected servers until they can be verified.

3. C2 and Attack Infrastructure Blocking:

  • Update your perimeter and internal firewalls, web proxies, and DNS filtering solutions to block all IOCs (IPs, domains) associated with the current Akira campaign.
  • Block traffic to known TOR network nodes at the perimeter if not already standard practice.
  • Implement temporary blocks on common data exfiltration paths, such as unauthorized cloud storage APIs or uncommon FTP destinations observed in your logs.

Eradication and Recovery

Eradicate the malware and restore operations from clean backups.

1. Complete Removal:

  • Do not simply delete the ransomware binary or remove the .akira extension. Follow a detailed, per-system removal procedure.
  • Refer to the dedicated Removal Guide for comprehensive, step-by-step instructions to eliminate Akira artifacts, registry entries, and persistence mechanisms from each affected system.

2. Restoration from Backups:

  • Verification: Before restoration, ensure your backup media and backup servers are completely isolated from the infected network and are themselves clean. Scan backup files for malware.
  • Process: Restore encrypted data from the most recent clean, verified backup. Prioritize restoration of critical business systems.
  • Validation: After restoration, thoroughly validate file integrity and system functionality. Ensure no ransom notes or encrypted file remnants remain.

3. Verification of Clean State:

  • Perform full anti-malware scans on all affected systems using updated signatures.
  • Re-image any systems where the depth of compromise is unclear or where persistence mechanisms were complex.
  • Before re-introducing systems to the production network, monitor them in the isolated segment for any residual malicious network traffic or processes.

Lessons Learned Checklist

After containment and recovery, conduct a formal post-incident review.

Attack Vector Analysis:

  • How did Akira initially gain access? (e.g., Exploited unpatched VPN appliance? Successful phishing email leading to credential theft? Compromised RDP endpoint?)
  • What specific vulnerability (CVE) or misconfiguration was exploited?

Control Failures:

  • Prevention: Which controls failed? (e.g., Lack of application allow-listing that could have blocked the payload? Missing patch for the exploited vulnerability? Inadequate spam filtering?)
  • Detection: What detection gaps existed? (e.g., EDR alerts were triggered but not investigated? No monitoring for vssadmin deletion commands? SIEM rules for mass file renames were not in place?)
  • Response: Were response playbooks for ransomware followed? Was isolation fast enough to prevent widespread encryption?

Improvement Actions:

  • Technical: Patch the identified initial access vector. Implement stronger network segmentation. Enhance logging and monitoring for Akira-specific TTPs (Tactics, Techniques, and Procedures). Review and test backup integrity and restoration procedures.
  • Process: Update incident response playbooks with lessons from this event. Conduct tabletop exercises focusing on ransomware. Improve user awareness training based on the initial phishing vector (if applicable).
  • Strategic: Consider implementing or strengthening controls like multi-factor authentication (MFA) for all external access, privileged access management (PAM), and endpoint detection and response (EDR) capabilities.

For more information on Akira, refer to the Akira Overview. To proactively identify infections, see the Detection Guide.

Related

← Akira Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families