Back

Akira Ransomware Attack Exploits Disabled VPN Account

Severity: High (Score: 70.5)

Sources: Isc.Sans.Edu, Socprime

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: akira, ransomware, kill, chain, logs, reconstructed, reconstructing

Severity indicators: ransomware, akira

Summary

A recent Akira ransomware attack targeted a mid-sized organization by exploiting a disabled local SSL VPN account through brute-force methods. The attackers gained initial access, performed credential discovery, and executed lateral movement using RDP. Key actions included clearing logs and deleting shadow copies before encryption occurred. The entire intrusion was reconstructed using only firewall syslog and Windows event logs, without endpoint detection tools. Event IDs such as 4624, 4688, and 4769 were crucial in mapping the kill chain. Recommendations include enforcing MFA, removing disabled accounts from access lists, and enhancing log retention policies. The incident highlights the importance of combining perimeter and endpoint telemetry for early detection of ransomware activities. Key Points: • Attackers exploited a disabled SSL VPN account via brute-force methods. • The intrusion was reconstructed using firewall and Windows event logs without EDR. • Recommendations include enforcing MFA and improving remote access security.

Detailed Analysis

**Impact** A mid-sized organization operating a single-site Active Directory forest was compromised via a disabled local SSL VPN account. The attackers achieved domain-level privileges, impacting domain controllers, file servers, and backup servers. The incident resulted in ransomware encryption and deletion of shadow copies, potentially causing significant operational disruption and data loss. No specific sector or geographic details were provided. **Technical Details** Initial access was gained through brute-force credential stuffing against a disabled local SSL VPN account lacking MFA, which remained active on the firewall. The attacker performed domain discovery using native Windows tools, executed Kerberoasting attacks on service accounts, and moved laterally primarily via RDP sessions. Before encryption, logs were cleared (Event ID 1102) and shadow copies deleted. The kill chain was reconstructed using firewall SSLVPN syslog and Windows EVTX logs (notably Event IDs 4624, 4688, 4769, 1102, and 7036). No CVEs or specific malware hashes were reported. **Recommended Response** Immediately disable and remove deprovisioned accounts from all access control lists, including firewalls, and enforce MFA on all remote access points. Deploy detection rules for RC4-encrypted Kerberos tickets, shadow copy deletion commands, and suspicious PowerShell usage with encoded commands. Enable detailed process creation auditing (Event ID 4688) and increase security log retention with external log forwarding. Isolate compromised accounts and systems upon detection, reset credentials, preserve logs for forensic analysis, and restore data from clean backups.

Source articles (2)

  • Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th) — Isc.Sans.Edu · 2026-05-27
    Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did th…
  • Akira Ransomware Kill Chain Reconstructed from Logs — Socprime · 2026-05-29
    The article describes a recent intrusion linked to the Akira ransomware operation. The attackers obtained initial access by brute-forcing a disabled local SSL VPN account, then moved on to credential…

Timeline

  • 2026-05-24 — Brute-force attack initiated: Attackers targeted a disabled local SSL VPN account, successfully authenticating after multiple attempts.
  • 2026-05-24 — Initial access gained: Following successful authentication, attackers accessed the internal network via the VPN.
  • 2026-05-24 — Credential discovery and lateral movement: Attackers performed credential discovery and lateral movement over RDP, leading to further access.
  • 2026-05-24 — Logs cleared and shadow copies deleted: Before launching encryption, attackers cleared logs and deleted shadow copies to hinder detection.
  • 2026-05-27 — Incident analysis published: A detailed analysis of the Akira ransomware attack was published, outlining the kill chain and recommendations for prevention.

Related entities

  • Brute Force (Attack Type)
  • Credential Stuffing (Attack Type)
  • Ransomware (Attack Type)
  • T1021.001 - Remote Desktop Protocol (Mitre Attack)
  • T1033 - System Owner/User Discovery (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1069 - Permission Groups Discovery (Mitre Attack)
  • T1070.001 - Clear Windows Event Logs (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1490 - Inhibit System Recovery (Mitre Attack)
  • T1558.003 - Kerberoasting (Mitre Attack)
  • Linux (Platform)
  • Windows (Platform)
  • Akira (Ransomware Group)
  • Akira Ransomware (Ransomware Group)
  • AdFind.exe (Tool)
  • Cmd.exe (Tool)
  • Curl (Tool)
  • Explorer.exe (Tool)
  • Net.exe (Tool)
  • Nltest.exe (Tool)
  • PowerShell (Tool)
  • Sc.exe (Tool)
  • Vssadmin (Tool)
  • Whoami.exe (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed