The FBI and its governments partners worldwide on Nov. 13 said the Akira ransomware group has claimed roughly $244 million in ransomware proceeds since March 2023.While these dollar estimates are not always precise, the FBI’s new information as of late September 2025 puts Akira behind the Clop group, which has reportedly extorted more than $500 million in ransomware payments since 2021.In its advisory the FBI said security teams need to take the following basic ransomware prevention steps:“The FBI’s list outlines the bare minimum every organization should already have in place,” said Shane Barney, chief information security officer at Keeper Security. “Groups like Akira use advanced tools, but they often succeed because of weak credentials, poor configurations, and inconsistent access controls.Barney said the technical fundamentals still make the biggest difference. Network segmentation limits how far an attacker can move once inside. Strong identity management, least privilege and continuous monitoring can prevent a breach from spreading. Just as important, said Barney, is the human element.“Security awareness has to be part of everyday operations, not an annual exercise,” said Barney. “Technology creates the framework, but people make it work. When they take ownership, that’s when security becomes sustainable.”Noelle Murata, senior security engineer at Xcape, Inc., added that the FBI’s Akira advisory covers the essentials of ransomware defense, and they're spot on, but organizations must go further.“Beyond the basics like prioritizing KEV patching, using phishing-resistant MFA, and having tested offline backups, it's crucial to strengthen the organization’s network perimeter,” said Murata. “This means patching and securing VPNs and firewalls, enforcing SMB signing, and disabling outdated authentication protocols like NTLM.”Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said the recommendations may sound basic, but groups like Akira, aren’t relying on sophisticated or unique techniques.“They rely on boring and basic techniques because they work,” said Ursry. “Basic security hygiene can go a long way to make it more difficult for threat actors to gain access — especially when groups like Akira are still exploiting vulnerabilities over a year old and hitting exposed services consistently. Start with the fundamentals — the basics — and enforce them relentlessly.”Here's a checklist Ursry offers:Other tips include the following:
- Prioritize remediating known exploited vulnerabilities on the KEV list managed by the Cybersecurity and Infrastructure Security Agency (CISA).
- Enable and enforce phishing-resistant multifactor authentication (MFA).
- Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process.
- Prioritize remediating known exploited vulnerabilities — it’s unrealistic to patch every vulnerability the minute it’s announced; prioritize them to determine which ones are mission critical.
- Assess the criticality of the appliance/software the vulnerability impacts.
- Determine if the vulnerability is trending — both in cybercriminal spaces and the media because threat actors are also reading the news.
- Identify the impact successful exploitation could have on the organization.
- Reduce exposed services, like RDP and VPN services, to reduce the overall attack surface and prevent attacks like credential stuffing or brute force.
- Implement and enforce a password policy that includes the use of strong and unique passwords — in 2025, the most common password is still 123456.
- Create, maintain, and practice an incident response plan (IRP) — ensure relevant departments and staff are aware of the role they play in the IRP to avoid delays and miscommunication during an incident, which provides threat actors with additional time inside a compromised network.
- Understand that organizations of all types and profit levels are within the scope of ransomware groups’ targeting — treat ransomware as an inevitable business risk, not a remote possibility.
- Foster employee awareness — go beyond the annual cybersecurity training and implement year-round, randomized training based on real-world ransomware tactics, techniques, and procedures to ensure employees are both aware and realistically prepared in the event they are targeted.
