Akira Ransomware Hits US Manufacturer Koch & Co., Threatens to Leak 54GB of Data

Akira Ransomware Group Claims Cyberattack on Koch & Co., Allegedly Stealing 54GB of Financial and HR Data

HIGH
November 10, 2025
5m read
RansomwareData BreachCyberattack

Impact Scope

Affected Companies

Koch & Co., Inc.

Industries Affected

Manufacturing

Geographic Impact

United States (national)

Related Entities

Threat Actors

Akira

Other

Koch & Co., Inc.Akira ransomware

MITRE ATT&CK Techniques

T1133Initial Access

External Remote Services

T1003Credential Access

OS Credential Dumping

T1486Impact

Data Encrypted for Impact

T1041Exfiltration

Exfiltration Over C2 Channel

T1021.001Lateral Movement

Remote Desktop Protocol

Full Report

Executive Summary

The Akira ransomware group has claimed responsibility for a cyberattack against Koch & Co., Inc., a U.S.-based manufacturer of wood doors and cabinets. On November 7, 2025, the group posted the company's name on its dark web leak site, alleging the theft of 54GB of sensitive data. The threat actors are employing a double-extortion tactic, threatening to release the exfiltrated data—which they claim includes financial records, contracts, and HR files—if their ransom demands are not met. This incident underscores Akira's continued focus on targeting manufacturing and other mid-sized enterprises, leveraging data exfiltration as a primary tool for coercing victims into payment.

Threat Overview

  • Threat Actor: Akira is a well-established ransomware-as-a-service (RaaS) operation known for its distinctive retro-themed leak site and aggressive tactics. They have been active since early 2023 and are known to target a wide range of industries, with a particular focus on manufacturing, education, and professional services.
  • Malware: The Akira ransomware is written in C++ and is known for its ability to encrypt a wide variety of file types, appending a .akira extension to encrypted files. The group also uses a Linux variant to target VMware ESXi servers.
  • Attack Pattern: Akira typically follows a standard double-extortion model:
    1. Initial Access: Often gained through compromised credentials for VPNs without multi-factor authentication, or by exploiting known vulnerabilities (e.g., in Cisco ASA devices). This aligns with T1133 - External Remote Services.
    2. Lateral Movement and Discovery: Once inside, they use tools like Mimikatz for credential harvesting (T1003 - OS Credential Dumping) and PsExec for lateral movement.
    3. Data Exfiltration: Before deploying ransomware, they exfiltrate large volumes of sensitive data to be used as leverage (T1041 - Exfiltration Over C2 Channel).
    4. Impact: Finally, they deploy the ransomware to encrypt systems across the network (T1486 - Data Encrypted for Impact).

Technical Analysis

In the attack on Koch & Co., Akira claims to have stolen 54GB of highly sensitive data. This suggests they had prolonged, privileged access to the network, allowing them to identify and stage critical data from file servers, financial systems, and HR databases. The types of data claimed—financials, contracts, and HR files—are specifically chosen to maximize pressure on the victim company, as their public release could cause severe reputational damage, regulatory penalties, and competitive disadvantage.

While the specific initial access vector for this attack is unknown, Akira's known TTPs provide a strong basis for defense and detection. Their heavy reliance on credential abuse makes strong authentication controls a critical defense.

MITRE ATT&CK Techniques Associated with Akira

Tactic Technique ID Name Description
Initial Access T1133 External Remote Services Exploiting VPNs without MFA is a common entry point.
Credential Access T1003 OS Credential Dumping Using tools like Mimikatz to harvest credentials.
Lateral Movement T1570 Lateral Tool Transfer Moving tools like PsExec and AnyDesk across the network.
Exfiltration T1567.002 Exfiltration to Cloud Storage Using tools like Rclone or WinSCP to upload data to cloud services.
Impact T1486 Data Encrypted for Impact The final ransomware deployment stage.

Impact Assessment

If Akira's claims are true, Koch & Co. faces severe consequences:

  • Operational Disruption: If systems were encrypted, manufacturing and business operations could be halted for an extended period, leading to significant revenue loss.
  • Data Breach Notification Costs: The company may be legally required to notify all employees and potentially customers whose data was compromised, incurring costs for credit monitoring and legal services.
  • Reputational Damage: The public leak of sensitive financial and HR data can damage the company's reputation with employees, partners, and customers.
  • Financial Loss: Beyond the potential ransom payment, the costs of incident response, system recovery, and security upgrades will be substantial.

Cyber Observables for Detection

To hunt for Akira activity, security teams should look for the following:

Type Value Description Context
file_name akira_readme.txt The standard name of the ransom note dropped by Akira. EDR, File system monitoring
file_name *.akira The file extension appended to files encrypted by the ransomware. EDR, File system monitoring
process_name AnyDesk.exe Akira has been observed using the legitimate remote access tool AnyDesk for persistence. Process creation logs, EDR alerts
command_line_pattern rclone.exe copy /path/to/data remote:bucket The use of Rclone to exfiltrate data to a cloud storage provider. Process creation logs (Event ID 4688)
registry_key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client A registry key Akira has been known to use for persistence. Registry monitoring, EDR

Detection & Response

  1. Monitor for Credential Dumping: Deploy EDR rules to detect the execution of Mimikatz or access to the LSASS process memory. This is a key precursor to Akira's lateral movement and is a form of D3FEND's D3-PA: Process Analysis.
  2. Analyze VPN Logs: Scrutinize VPN authentication logs for suspicious activity, such as logins from unusual locations, multiple failed attempts followed by a success, or use of accounts for employees who do not normally use VPNs. This relates to D3FEND's D3-UGLPA: User Geolocation Logon Pattern Analysis. 3I am a large language model, trained by Google.```json

Timeline of Events

1
November 7, 2025
Akira ransomware group posts Koch & Co., Inc. on its dark web leak site.
2
November 10, 2025
This article was published

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Enforce MFA on all VPN and remote access services to mitigate initial access via compromised credentials.

Mapped D3FEND Techniques:

D3-MFA

Antivirus/Antimalware

M1049enterprise

Use EDR/AV solutions to detect and block known Akira payloads and associated tools.

Mapped D3FEND Techniques:

D3-FH

Network Segmentation

M1030enterprise

Segment networks to limit the lateral movement of ransomware and protect critical assets like backup servers.

Mapped D3FEND Techniques:

D3-NI

Sources & References

Akira Ransomware Attacks Koch & Co, Inc. - DeXpose
DeXpose (dexpose.io) November 10, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AkiraRansomwareData BreachManufacturingDouble Extortion

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next