Akira ransomware_ stats on attacks, ransoms and data breaches

From January to November 2025, Akira claimed responsibility for 683 ransomware attacks, making it the second most dominant strain this year behind Qilin (864 attacks during the same period).

This figure of 683 is already more than double 2024’s total of 272. But, unlike Qilin, whose claims have increased as the year has gone on, Akira’s activity has had two noticeable spikes. Following a vast number of claims in the first quarter of the year (225), Akira’s activity dipped from April to July before increasing again over the last few months.

Akira’s recent surge was spurred by its active exploit of SonicWall SSL VPN vulnerabilities (CVE-2024-40766). On November 13, 2025, the US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), and Department of Health and Human Services (HHS) renewed its joint advisory on Akira, citing “information on new Akira ransomware activity that presents an imminent threat to critical infrastructure.”

Up to September 2025, Akira “claimed approximately $244.17 million (USD) in ransomware proceeds,” it adds.

Akira first emerged in March 2023 and is thought to have connections to a previous group, Conti, which was active between December 2019 and May 2022. Its targets tend to be small- to medium-sized businesses across a range of industries. But, as we’ll see below, its focus has changed over the years. The education sector has seen fewer and fewer attacks, while manufacturers have become a dominant target for Akira. This is something we’re witnessing across the ransomware threat landscape as a whole.

Key findings for 2025:

From January to November of this year, Akira has claimed:

  • 683 victims (69 of these attacks have been confirmed)
  • 5 attacks on healthcare providers (none confirmed)
  • 3 attacks on government entities (1 confirmed)
  • No attacks on the education sector
  • 666 attacks on businesses (68 confirmed):
    • 182 on manufacturers (18 confirmed)
    • 124 on service-based businesses (6 confirmed)
    • 62 on retailers (7 confirmed)
    • 53 on construction companies (2 confirmed)
    • 49 on finance companies (7 confirmed)
    • 47 on legal companies (4 confirmed)
  • 104,608 records breached in the confirmed attacks
  • 32 TB of data stolen across all attacks (5.9 TB in confirmed attacks)
  • The US accounts for the most attacks (455), followed by Germany (26), Canada (26), Italy (21), Spain (17), and the UK (14)

Akira ransomware victims by sector & industry

While Akira’s focus has always been on businesses, the education sector was also heavily targeted by Akira in 2023. These attacks dropped off in 2024 and 2025. Attacks on government organizations and healthcare providers have remained relatively low across all years.

Akira ransomware attacks on the education sector

Akira’s focus on schools, colleges, and universities has decreased significantly over the last three years:

  • 2023 – 15 attacks (10 confirmed)
  • 2024 – 6 attacks (3 confirmed)
  • 2025 (to November) – No attacks

Throughout 2023, Akira carried out a number of successful attacks on the education sector. Some of the largest by number of records affected, include its attacks on Edmonds School District in the US (145,844 people affected) and Mercer University in the US (93,512 affected).

In 2024, Akira’s attacks increased overall, but its attacks on this sector waned to just three confirmed (Reykjavík University in Iceland and Van Buren Public Schools and Louisiana Special School District in the US). So far this year, Akira hasn’t targeted any educational institutions.

Akira’s shift from the education sector could be due to other sectors being easier and/or more lucrative targets.

Akira ransomware attacks on government agencies

Attacks on government entities by Akira have remained relatively consistent from 2023 to 2025:

  • 2023 – 4 attacks (4 confirmed)
  • 2024 – 7 attacks (6 confirmed)
  • 2025 (to November) – 3 attacks (1 confirmed)

Unlike the education sector, which saw some significant data breaches as a result of Akira’s attacks, its attacks on governments seemed more focused on causing disruption through system encryption. Just one data breach across all of the confirmed attacks has been reported. This was on the City of Nassau Bay in May 2023 where 8,839 people were involved in the data breach.

The one confirmed attack from 2025 was on the Laramie County Library System, which caused widespread disruption to library servers and halted most digital services.

Akira ransomware attacks on healthcare providers

Healthcare providers have never been a major target for Akira. From 2023 to 2025, we logged just nine claims in total:

  • 2023 – 3 attacks (3 confirmed)
  • 2024 – 1 attack (1 confirmed)
  • 2025 (to November) – 5 attacks (none confirmed)

Three of these attacks have been confirmed due to subsequent data breaches (rather than system encryption). Just one, the October 2023 attack on Michael Garron Hospital in Canada, resulted in significant disruptions lasting around 11 days.

The biggest data breach was reported by siParadigm LLC in the US after its attack via Akira in June 2024. Here, 26,534 were affected.

Akira ransomware attacks on businesses

Attacks on businesses by Akira have increased significantly each year:

  • 2023 – 149 attacks (46 confirmed)
  • 2024 – 258 attacks (60 confirmed)
  • 2025 (to November) – 666 attacks (68 confirmed)

While the majority of sectors have seen an influx of attacks via Akira, some have seen a higher volume than others.

From 2024 to 2025, Akira’s attacks on healthcare businesses (those operating in the sector but that don’t provide direct care, e.g. pharmaceutical manufacturers and medical billing providers) more than tripled. Legal firms and construction companies also noted a 210 percent increase in attacks from 2024 to 2025.

Throughout 2025 so far, manufacturers have been Akira’s main focus. 182 (27%) of its attacks on businesses have been carried out in this sector. Although system encryption is the primary focus for attacks on manufacturers, data breaches are also common. Eight out of the 12 confirmed attacks recorded on US manufacturers this year have seen data breach notifications being issued with nearly 7,500 people impacted to date.

Akira’s largest breach on a manufacturer was noted on Nissan Australia in December 2023 when 100,000 people were notified of the data breach.

Akira’s most targeted countries

This year, Akira’s most targeted countries are:

  1. United States – 455 attacks (45 confirmed)
  2. Germany – 26 attacks (5 confirmed)
  3. Canada – 26 attacks (1 confirmed)
  4. Italy – 21 attacks (2 confirmed)
  5. Spain – 17 attacks (1 confirmed)
  6. United Kingdom – 14 attacks (none confirmed)
  7. Brazil – 13 attacks (none confirmed)
  8. Australia – 9 attacks (4 confirmed)
  9. Switzerland – 9 attacks (1 confirmed)
  10. Greece – 6 attacks (none confirmed)

With a month left in the year, attacks in the US have already increased by over 175 percent from 2024 to 2025. Countries with the biggest upticks include Spain (a 750% increase from 2 in 2024 to 17 in 2025), Switzerland (a 350% increase from 2 in 2024 to 9 in 2025), and Italy (a 200% increase from 7 in 2024 to 21 in 2025).

Akira’s biggest ransom demands

Akira doesn’t include its ransom demands when making its claims, so data on them is limited. However, from 2023 to present, the following ransom demands have been confirmed:

  1. Shook Lin & Bok, Singapore – $1.4 million demanded: In April 2024, this legal firm in Singapore is reported to have paid Akira $1.4 million in bitcoin. Akira’s initial demand was said to be $2 million.
  2. Toronto Zoo, Canada – $1.2 million demanded: The zoo was targeted by Akira in January 2024 but it refused to pay Akira’s ransom demand of $1.2 million. Guests’ and members’ data was subsequently leaked on the dark web.
  3. Hangzhou Great Star Industrial Co., Ltd, China – $1 million demanded: The Chinese manufacturer was targeted by Akira in August 2023 before its US division negotiated with the hackers and agreed to pay a $1 million demand.
  4. Usina Alta Mogiana S/A, Brazil – $750,000 demanded: Akira is alleged to have demanded $750,000 from the food and beverage manufacturer in June 2024.
  5. Bugnard SA, Switzerland – $200,000 demanded: In September 2025, the Swiss manufacturer agreed to pay Akira $200,000 to have its systems restored. Akira had initially demanded $450,000.
  6. Black Press Hawaii (Star-Advertiser, Oahu Publications, Inc. et al), US – $150,000 demanded: Akira received $150,000 from the US firm following its attack in January 2024. 2,000 people were subsequently notified of a data breach.

Akira statistics from 2023 to November 2025

Since Akira first started adding victims to its data leak site in early 2023, we’ve recorded:

  • 1,126 attacks via Akira
    • 202 of these attacks have been confirmed by the targeted entity
  • 1,087,428 records have been breached across the confirmed attacks
  • 14 attacks on government entities (11 confirmed)
  • 21 attacks on the education sector (13 confirmed)
  • 9 attacks on healthcare providers (4 confirmed)
  • 1,073 attacks on businesses (174 confirmed)

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.