Akira Just Hit a Swiss Radiology Network. It's the #2 Ransomware Crew on Earth and Its Whole Game Is Your SSL VPN — Even With MFA On. We Just Put It in the Index.

Akira claimed a Swiss radiology network this week — Réseau Radiologique Romand, with around forty-eight gigabytes of data alleged stolen — and we are using the occasion to do something we should have done sooner: put Akira in our adversaries index as a full profile. It belongs there for a simple reason. Akira is, by publicly disclosed victim volume, the second most active ransomware operation on the planet right now, behind only Qilin, and unlike the sprawling supply-chain and SaaS-pivot crews we have been writing about all spring, Akira's identity is almost monomaniacally focused on one thing: the SSL VPN at the edge of your network. If you want to understand how a radiology practice in Switzerland ends up on a leak site, you do not need a novel exploit chain. You need to understand that Akira treats your VPN appliance as the front door, and that the door is usually unlocked.

Here is the profile, and the through-line is the edge appliance. Akira is a Ransomware-as-a-Service operation active since March 2023, with lineage tracked back toward the defunct Conti syndicate and labels like Storm-1567 and Howling Scorpius attached by various vendors; it had collected north of two-hundred-forty-four million dollars in ransoms by late 2025. Its initial access is SSL VPN, over and over: Cisco ASA and Firepower Threat Defense via flaws like CVE-2020-3259 and CVE-2023-20263, SonicWall via CVE-2024-40766, and WatchGuard, exploiting missing multi-factor authentication where it is absent — and, with stolen or broker-purchased credentials, bypassing even one-time-password MFA where it is present. That last point is the one defenders keep getting wrong: Akira has been observed walking through accounts that had OTP MFA enabled, because a stolen valid credential plus a pushed or intercepted code is enough. Once inside, the crew is fast in a way that defeats most response programs — credential access to lateral movement to exfiltration to encryption in under four hours in dozens of documented intrusions, with Ngrok tunneling for command-and-control and SharpDomainSpray for password spraying along the way. And it does not stop at Windows: Akira maintains encryptors for Windows, Linux, VMware ESXi, and as of mid-2025 Nutanix AHV, shifting between the original C++ Akira variant and the Rust-based Megazord and Akira_v2 payloads. The hypervisor support is why a single VPN compromise can become an entire virtualized hospital encrypted at once.

This is the same shape we drew in "Edge-Appliance Week" — five vendor RCEs in fourteen days, and the foot in the door is every foot. Akira is the crew that walks through those doors for a living. When we wrote that the edge appliance is the initial-access surface of the era, Akira is the proof of concept that pays: it does not need the newest CVE, because the population of internet-facing VPN concentrators with weak or stolen credentials is effectively inexhaustible, and healthcare — radiology networks, hospital groups, clinics — is its sweet spot precisely because medical organizations run aging edge gear, can least afford downtime, and therefore pay. The Swiss radiology hit is not an exotic event. It is Akira doing the most Akira thing possible: find an SSL VPN, get a credential, be inside the imaging infrastructure before lunch.

The protective read, and it is unusually actionable because Akira's playbook is so consistent. First, MFA on every single VPN account, no exceptions — but understand that OTP MFA is necessary and not sufficient against this crew, so move privileged and remote-access accounts to phishing-resistant, hardware-backed authentication where you can, because that is the control that defeats the stolen-credential bypass. Second, patch the edge, specifically the SSL VPN appliances: the Cisco ASA/FTD and SonicWall CVEs Akira leans on are known and fixed, and an unpatched VPN concentrator on the internet is the single highest-probability way this crew gets in. Third, hunt for the speed: because Akira moves from access to encryption in under four hours, your detection has to fire on the early signals — a VPN login from anomalous geography or a new device, Ngrok or other tunneling utilities appearing on a host, password-spray patterns against your directory, and any sudden enumeration of your VMware or Nutanix management plane. Fourth, segment and protect the hypervisor, because the ESXi and Nutanix encryptors mean a flat network turns one foothold into a total encryption event. Our STIX feed carries the edge-appliance and ransomware indicators for this class at no cost, and Akira is now a profiled actor in our index, linked to the edge thesis rather than floating as a name in a news story.

The honest 95%: the forty-eight-gigabyte figure is Akira's claim against the Swiss radiology network, not an independently verified count, and victims sometimes turn out smaller or larger than the leak-site boast. The vendor labels — Storm-1567, Howling Scorpius, the Conti lineage — are attributions drawn from reporting and carry the usual looseness of any RaaS cluster where affiliates rotate. And we cannot tell you patching your VPN makes you safe from Akira, because the stolen-credential path bypasses the patch entirely; the honest framing is that patching plus phishing-resistant MFA plus sub-four-hour detection together shrink the window, and any one of them alone leaves it open. What we can tell you is that the second-busiest ransomware crew on earth has one favorite door, that door is your SSL VPN, and as of today it is a named, profiled actor in our index instead of a surprise in next week's headline.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register