Akira Ransomware Attack Exploits Disabled VPN Account

Akira Ransomware Attack Exploits Disabled VPN Account

First seen 29 May 2026, 18:41 UTC Isc.Sans.EduSocprime 84% similarity 70.5

Article Content

Browse articles
ThreatCluster

A recent Akira ransomware attack targeted a mid-sized organization by exploiting a disabled local SSL VPN account through brute-force methods. The attackers gained initial access, performed credential discovery, and executed lateral movement using RDP. Key actions included clearing logs and deleting shadow copies before encryption occurred. The entire intrusion was reconstructed using only firewall syslog and Windows event logs, without endpoint detection tools. Event IDs such as 4624, 4688, and 4769 were crucial in mapping the kill chain. Recommendations include enforcing MFA, removing disabled accounts from access lists, and enhancing log retention policies. The incident highlights the importance of combining perimeter and endpoint telemetry for early detection of ransomware activities.

Key Points: • Attackers exploited a disabled SSL VPN account via brute-force methods. • The intrusion was reconstructed using firewall and Windows event logs without EDR. • Recommendations include enforcing MFA and improving remote access security.

ThreatCluster AI

Timeline

2026-05-24
Brute-force attack initiated
Attackers targeted a disabled local SSL VPN account, successfully authenticating after multiple attempts.
Isc.Sans.Edu
2026-05-24
Initial access gained
Following successful authentication, attackers accessed the internal network via the VPN.
Socprime
2026-05-24
Credential discovery and lateral movement
Attackers performed credential discovery and lateral movement over RDP, leading to further access.
Socprime
2026-05-24
Logs cleared and shadow copies deleted
Before launching encryption, attackers cleared logs and deleted shadow copies to hinder detection.
Socprime
2026-05-27
Incident analysis published
A detailed analysis of the Akira ransomware attack was published, outlining the kill chain and recommendations for prevention.
Isc.Sans.Edu

Community

Browse all →