{"id":5058,"date":"2026-04-03T08:45:03","date_gmt":"2026-04-03T08:45:03","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/03\/researchers-observe-sub-one-hour-ransomware-attacks\/"},"modified":"2026-04-03T08:45:03","modified_gmt":"2026-04-03T08:45:03","slug":"researchers-observe-sub-one-hour-ransomware-attacks","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/03\/researchers-observe-sub-one-hour-ransomware-attacks\/","title":{"rendered":"Researchers Observe Sub-One-Hour Ransomware Attacks"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security researchers have warned of another step change in the velocity of ransomware, after spotting the Akira group complete all stages of an attack within an hour.<\/p>\n

Halcyon said in a new report that Akira usually achieves initial access by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, especially those lacking multi-factor authentication (MFA).<\/p>\n

In the past, these have included devices from SonicWall, Veeam and Cisco, although the group has also been observed using credential theft, spearphishing, password spraying, and even initial access brokers (IABs).<\/p>\n

It is one of the more sophisticated groups out there, with suspected former Conti hackers now engaged in operations.<\/p>\n

Read more on ransomware velocity: Ransomware Gangs Increasingly Prioritize Speed and Volume in Attacks.<\/em><\/p>\n

Following initial access, Akira usually exfiltrates data prior to encryption \u2013 following a classic double-extortion model. Threat actors try to evade detection by disabling security software, and then use living-off-the-land approaches (eg FileZilla, WinRAR, WinSCP and RClone) for data staging and encryption, the report explained.<\/p>\n

A Focus on Speed<\/h2>\n

Halcyon said Akira manages to complete an entire attack lifecycle in under four hours, and in some cases less than one hour without detection.<\/p>\n

This is because it is \u201cmore stealthy and less aggressive\u201d than other groups such as Play, the report claimed. Zero-day exploits and compromised credentials enable covert access while intermittent encryption speeds up the process of scrambling victims\u2019 files.<\/p>\n

\u201cAkira is known to set encryption to as low as 1% of a file and push to all devices to maximize impact in a short duration,\u201d Halcyon said.<\/p>\n

\u201cAkira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators.\u201d<\/p>\n

This has enabled the group to generate as much as $244m since it appeared in March 2023, according to the US government.<\/p>\n

How to Protect the Organization<\/h2>\n

Halcyon urged organizations to adopt layered defenses to mitigate the threat from Akira and other ransomware groups. This includes:\u00a0<\/p>\n