IronSights

Incident response · Akira ransomware

Hit by Akira ransomware? More may be recoverable than the note claims.

Akira has been one of the most consistently active ransomware operations in Australia. It is also, by design, a fast and incomplete encryptor: on large files it scrambles only portions and leaves the rest intact. That design choice is often the opening a recovery works through, without paying.

Recognise it

How to confirm it is Akira.

Before anything else, keep the encrypted files and every ransom note exactly where they are. They identify the strain, and they are often the raw material a recovery works from.

File extension
.akira appended to encrypted files (some later variants use different extensions, including .powerranges)
Ransom note
akira_readme.txt, dropped in affected folders, pointing to a Tor negotiation site
First seen
March 2023; subject of the joint CISA #StopRansomware advisory AA24-109A
Typical entry
VPN appliances without multi-factor authentication, stolen credentials, and unpatched remote access systems

Behaviour

What Akira does to your systems.

Partial encryption by design

Akira encrypts small files fully but only encrypts portions of larger files, and affiliates can dial the encrypted percentage down for speed. The rest of the file is left untouched on disk.

Shadow copies deleted

Like most modern strains, it deletes Windows volume shadow copies so the easy restore path is gone.

Double extortion

Data is exfiltrated before encryption and the threat of publication is used as a second lever alongside the locked files.

Hybrid encryption

A combination of AES and RSA. Breaking the encryption itself is not a realistic recovery path; working with what was never encrypted is.

Windows, Linux and ESXi

Akira variants target VMware ESXi hosts and Linux systems as well as Windows, so virtualised environments are squarely in scope.

Active against Australia

Akira has ranked among the most active strains in Australian incidents across 2024 and 2025, across sectors and business sizes.

The honest answer

Can Akira-encrypted files be recovered?

Often, substantially, yes. Akira's speed comes from not encrypting everything: on files past a size threshold it encrypts a set of blocks rather than the whole file, and affiliates frequently configure even lighter touches. On large structured files (databases, virtual disks, archives) that leaves most of the underlying data physically intact on disk, recoverable by locating the untouched structures and rebuilding them without any key.

Two honest caveats. Small files are usually encrypted in full, because encrypting a small file costs the attacker nothing. And a free decryptor released in mid-2023 works only against early Akira builds; current variants patched the flaw it relied on, so do not plan around it (check nomoreransom.org, then move on).

Our assessment is quick: the strain build, a sample of encrypted files and their sizes tell us within hours what looks recoverable. Keep the encrypted files, and do not let anyone rebuild the affected machines before that assessment happens.

Common questions

Akira, in plain terms.

Mid-incident and need a straight answer? Call 1300 004 766. A person answers, 24 hours a day.

  1. What is the .akira file extension?

    Files renamed with a .akira extension have been encrypted by the Akira ransomware operation, active since March 2023 and consistently among the most active strains hitting Australian organisations. The ransom note is usually named akira_readme.txt. Keep the encrypted files and notes; they identify the exact build and are often the raw material a recovery works from.

  2. Can .akira files be decrypted for free?

    Usually not any more. A free decryptor released in 2023 exploited a flaw in early Akira builds, and the operators patched it. Current variants have no public decryptor. Check nomoreransom.org in case your incident involves an old build, but the realistic recovery paths are backups, snapshots, and partial-encryption recovery of the data Akira never touched.

  3. Can Akira-encrypted files be recovered without paying?

    Often, partially, and sometimes substantially. Akira encrypts only portions of large files for speed, so databases, virtual disks and archives frequently retain most of their data intact. That intact data can be located, carved and rebuilt without the attacker's key. It is a recovery effort with honest limits, not a guarantee, and small fully-encrypted files are usually a loss without backups.

  4. Akira hit our ESXi hosts. Does that change anything?

    It changes the mechanics, not the principle. Akira's Linux variant encrypts virtual machine disk files on ESXi datastores, and VMDKs are exactly the kind of large structured file where partial encryption leaves a great deal intact. Do not delete or recreate the datastores; leave everything in place and get an assessment first.

  5. What should we do in the first hour?

    Isolate the affected machines but leave them powered on, keep every encrypted file and ransom note, take surviving backups offline, and start a simple timeline of what happened when. Do not rebuild, do not run cleanup tools, and do not pay in a panic. Our First-Response Guide covers this on one printable page, and 1300 004 766 is answered around the clock.

Right now

The first hours decide what can be saved.

Isolate the machines, keep the encrypted files, take backups offline, and call before anything gets rebuilt. Australian incident response, answered by a real person.