Cyber Resilience

Threat actor · all actors

AkiraG1024 unknown

aka Akira, GOLD SAHARA, PUNK SPIDER, Howling Scorpius

Last updated: 2026-07-03

1attributed CVEs
24ATT&CK techniques
4.3IDF score (tooling uniqueness)
1exclusive CVEs
2023years active

About this actor

[Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with [Conti](https://attack.mitre.org/software/S0575) ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2023-20263 3.54.70.00482023-09-06see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-418 / 2475%
CM-217 / 2471%
AC-316 / 2467%
AC-615 / 2462%
CM-615 / 2462%
CM-713 / 2454%
AC-212 / 2450%
SI-312 / 2450%
SI-712 / 2450%
RA-511 / 2446%
AC-510 / 2442%
CA-710 / 2442%
IA-210 / 2442%
AC-179 / 2438%
CM-59 / 2438%

Co-occurring actors

None.

Similar actors

Similar TTPs

Active in same years