logo SOS Ransomware
Emergency 24/7

Decrypt the AKIRA Ransomware

You have a ransom note: AKIRA_README.txt

Are your files inaccessible due to the Akira ransomware? Have they been renamed to .akira? We have the tools to decrypt them.

Request a consultation
Screenshot

Presentation

Akira publicly emerged at the beginning of 2023, indirectly succeeding several dismantled or dissolved groups. Many analysts believe that its members come from former collectives such as Conti, Hive, or LockBit, which would explain the immediate maturity of its tools and methods. As of 2025, it remains one of the most active groups observed by incident response and data recovery teams. The group operates under a Ransomware-as-a-Service (RaaS) model, with a central core that develops the encryptor and manages communications, and affiliates responsible for intrusions and deployment. This structure enables rapid scaling and a strong ability to adapt.

Number of victims and targeted sectors

Since its emergence, AKIRA has claimed several hundred victims, with sustained activity in Europe, North America, and Asia-Pacific. The most affected sectors are:
  • Industry and manufacturing
  • Logistics and transportation
  • Professional services
  • Healthcare and education
  • SMEs and mid-sized companies with hybrid infrastructures
Unlike some opportunistic groups, AKIRA prioritizes targets that possess critical data and a high level of operational dependency, thereby maximizing pressure during negotiations.

Speed and encryption strategy

One of the strengths of the AKIRA ransomware lies in its high encryption speed. Field analyses show that:
  • le chiffrement peut débuter quelques minutes après l’accès administrateur,
  • file servers, virtual machines, and NAS devices are targeted as a priority,
  • connected backups are systematically deleted or encrypted.

AKIRA adapts its deployment to the environment: manual execution, automated scripts, or the use of native tools (Living off the Land). This approach reduces detection by EDR solutions and accelerates overall compromise.

Les 4 principaux concurrents d’Akira

Lynx
Nightspire
Ransomhouse
Blackshrantac
Anubis

Encryption algorithms used

AKIRA utilise un schéma de chiffrement hybride, combinant :

  • ChaCha20 for fast file encryption
  • RSA or ECC for session key protection.
The implementations observed are robust, with no known cryptographic vulnerability to date. In practice, this means that in the absence of usable backups, decrypting without the key provided by the group is nearly impossible. The ransomware also takes care not to encrypt certain system files, in order to avoid an immediate crash and allow the victim to read the ransom note.

AKIRA file extension

Once encryption is complete, affected files are renamed with a specific extension, usually:

.nomdufichier.akira

In some variants, the extension may include an identifier specific to the victim or the affiliate. This signature helps attribute the attack and is frequently used as an indicator of compromise (IoC).

Ransom note and communication

AKIRA drops a ransom note in every encrypted directory, often named:
README.txt ou AKIRA_README.txt

The content is relatively minimalistic, featuring:

  • confirmation of the data theft and encryption,
  • an explicit threat of publication on the group’s leak site,
  • an invitation to contact the operators via a dedicated Tor site.

AKIRA adopts a “professional” and non-insulting tone, aiming to establish a negotiation relationship rather than relying on brute intimidation.

Ransom amounts

The amounts demanded by AKIRA vary greatly depending on the size of the victim:

  • SMEs: from €50,000 to €300,000
  • Mid-sized / large enterprises: several million euros
  • Required currency: Bitcoin (primarily)

Impact on data recovery

AKIRA attacks present significant challenges for data recovery:

  • Deletion of snapshots,
  • Encryption of backups
  • Wiping or resetting of NAS devices
Recovery then relies on offline backups, degraded copies, or partial reconstructions, requiring advanced expertise.

Pourquoi choisir Recoveo pour récupérer vos données

SCANX est un ensemble d’outils propriétaires
Expérience : 25 ans, 25 personnes, depuis 20219 dans le ransomware
Vision globale monde et remote

Confidentialité garantie
Toutes saturations et environnement (lien interne vers les pages)
Serveurs, tout hyperviseurs, toutes vms, backup…

Our recovery process

1. Contact & Qualification Call

Immediate support through a technical call. We assess the incident to activate the emergency resources best suited to your critical situation.

2. Advanced Diagnosis

Secure cloning, sample analysis, and volume integrity assessment to determine technical feasibility and recoverable quality.

3. Final quote

Delivery of a transparent and detailed commercial offer, based on the diagnostic results, with no hidden fees and no prior commitment.

4. Recovery

Execution of reconstruction and repair work on damaged files by our expert engineers in our secure laboratory.

5. Listing & Validation

Verification of data integrity through a precise listing. Billing is triggered only if your priority files are functional.

6. Secure return

Transfer of the recovered data onto a new, clean storage device or via a secure link, depending on the volume and your security requirements.

Mobilise our emergency response team

Our laboratories are located in Paris and Lyon (France).

Get a response within the hour.

A specialised service from Recoveo, France’s leading data recovery provider.

Call us
Whatsapp

FAQ

Vos questions fréquentes

Tout ce que vous devez savoir sur les services de récupération de données de base de données.