There’s mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data.

Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

Cisco VPN solutions are widely adopted across many industries to provide secure, encrypted data transmission between users and corporate networks, typically used by remotely working employees.

Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.

Akira targets Cisco VPNs

Sophos first noted Akira’s abuse of VPN accounts in May, when researchers stated that the ransomware gang breached a network using “VPN access using Single Factor authentication.”

However, an incident responder, known as ‘Aura,’ shared further information on Twitter on how they responded to multiple Akira incidents that were conducted using Cisco VPN