Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
RHC Dark Lab : 22 June 2025 17:48
Spring 2025 will be remembered as a turning point in our country’s cyber chronicle. As bulletins and technical releases follow one another, one fact emerges glaringly: AKIRA has entered the Italian scene heavily. And it has done so without knocking on the door.
In the report we publish today, the result of the joint work of our community and the DarkLab subgroup, which specializes in Cyber Threat Intelligence. Analysis with a technical but operational slant on the new offensive campaign of AKIRA, the ransomware-as-a-service that has made its bones abroad and now plays at home hitting large and medium-sized companies all along the boot, with a particular predilection for the Northeast Italy.
The report comes to life from the growing evidence of a pattern: more and more Italian organizations, in different sectors, are being hit by silent, effective and very fast attacks. There is no phishing, no Hollywood movie zero-day exploits. Instead, there is high automation, established techniques, and an initial access strategy that exploits weaknesses in our perimeter networks. What is striking is just that: the banality of cyber evil.
PARTE LA PROMO ESTATE -40%
RedHotCyber Academy lancia una promozione esclusiva e a tempo limitato per chi vuole investire nella propria crescita professionale nel mondo della tecnologia e della cybersecurity!
Approfitta del 40% di sconto sull’acquisto congiunto di 3 corsi da te scelti dalla nostra Academy. Ad esempio potresti fare un percorso formativo includendo Cyber Threat intelligence + NIS2 + Criptovalute con lo sconto del 40%. Tutto questo lo potrai fruire, dove e quando vuoi e con la massima flessibilità, grazie a lezioni di massimo 30 minuti ciascuna.
Contattaci tramite WhatsApp al 375 593 1011 per richiedere ulteriori informazioni oppure scriviti alla casella di posta [email protected]
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
A crucial aspect of the report is the analysis of the use of the BRUTED tool, originally developed by BlackBasta and now reused by AKIRA affiliates. This tool automates discovery and brute-forcing on edge devices such as VPNs, RDP portals and SSL appliances using advanced techniques and SOCKS5 proxies to cover their tracks.
The evidence collected includes IPs historically linked to malicious infrastructure, such as those belonging to AS43350 (NFORCE, Netherlands), already mentioned by CISA. And, surprise: everything leads us to believe that BlackBasta, Akira and (maybe) Cactus are sharing not only tools, but also TTPs.
Akira attacks develop with brutal speed. Less than 24 hours separate the first access to the infrastructure from data theft, massive encryption and backup destruction. A nightmare scenario where every second counts, and a lack of segmentation or effective protection makes the difference between holding on or falling.
Among the tools documented in the report are SharpHound, RClone, WinRAR, abuse of LSASS/NTDS dump comsvcs.dll, and BYOVD techniques to disable AV and EDR. A symphony of TTPs from the MITRE ATT&CK textbook.
The report closes with a substantial list of concrete actions: from patch management to honeypots, from Sysmon monitoring to granularized control through AppLocker and WDAC. The key is not to react, but to anticipate.
And again: tiered administration for AD, Just-in-Time privilege management, truly protected off-site backups, incident response simulations. All with a clear warning: Akira does not choose his victims based on profits or size, but on the basis of exposure.
We have put down on paper what we have discovered: techniques, IoCs, tactics, tools. The document is designed for those working in the field, for blue teams, for CISOs and for all those who find themselves having to manage a concrete threat today. It is not a conference paper: it is a guide for those who have to defend the trenches.
It’s no longer just about updating firewalls or enabling MFA. A change of culture is needed: thinking as a target, defending oneself as a fortress, reacting as an incident responder.
The time of policies written in drawers is over. With AKIRA at the gates, you need a cool head, logic, collaboration. And maybe even a little of that constructive anger that led us to write this report.
DarkLab is here. And doesn’t give up.
RHC Dark Lab