WatchGuard Blog

Go to 

What Akira Ransomware Gang Taught This Company

Hands chained with a padlock typing on a laptop showing a ransomware attack warning; symbolizing data encryption and cyber extortion.

What is ransomware?
In 2025, ransomware is no longer just malicious software that encrypts your machines. It has morphed into something more dangerous: extortion built on stolen data. Attackers don’t stop at locking files; they now harvest sensitive information from SaaS platforms and internal networks, giving them leverage far beyond encryption keys. And their threats aren’t confined to dark web leaks. Increasingly, they pressure victims by threatening to expose data directly to regulators, insurers, or even customers. It’s not just about endpoint security anymore — it’s about protecting the entire cloud and network environment your business runs on.

So far this year, 4,441 organizations have been publicly listed as ransomware victims. More than 51% of those paid, according to Cybersecurity Ventures, resulting in roughly 2,268 ransom payments, with median payments averaging $1 million per breach. That puts ransomware payouts this year well into the multi-billion-dollar range

And these attacks aren’t just hitting small or midsize companies. In July, global IT distributor Ingram Micro confirmed a ransomware-related incident that disrupted internal systems and order fulfillment. While the company quickly mobilized cybersecurity experts and notified law enforcement, the attack demonstrated a growing truth: no organization is immune. 

A Ransom Note… and a Checklist to Keep Them Away 

The Akira ransomware gang doesn’t just extort. They operate with the polish of a support team, and the gall to offer post-attack “advice.” 

In a real negotiation transcript, Akira encrypted an organization’s systems, demanded $600,000, and ultimately settled for $200,000. But their final message didn’t just include a decryption tool, it came with a security checklist. 

“Don’t want us to hack you again? Here’s what you need to do.” 

Their advice included: 

  • Don’t open suspicious emails or run unknown files
  • Use strong passwords, changed monthly
  • Enable 2FA
  • Keep systems and software updated
  • Monitor traffic and use antivirus
  • Create VPN jump hosts with unique credentials
  • Train your employees: “The human factor is your weakest point.” 

They signed off with this unsettling note: “We wish you safety, calmness, and lots of benefits in the future.” 

Screenshot of a ransomware incident response chat showing attacker-suggested security practices post-payment, underscoring business risks and IT vulnerabilities.


You Shouldn’t Need a Ransom Note to Discover What’s Broken 

What’s most disturbing isn’t what Akira did, it’s that they’re right. 

Too many organizations only discover their security gaps after a breach. That needs to change. 

Here’s what real cyber resilience looks like in 2025: 

  • Advanced Endpoint Detection and Response 
    Lock down apps, enforce endpoint firewalls, and automate patching with platforms like WatchGuard EPDR, so attackers can’t exploit known weaknesses.
  • Smarter MFA Everywhere 
    Strengthen authentication with custom MFA solutions like AuthPoint, designed to secure not only cloud apps and VPN access, but also device-level login like Windows. This closes a critical gap in most identity strategies.
  • ZTNA and SASE-Based Protections 
    Adopt Zero Trust Network Access (ZTNA) and SASE-based firewalls to filter cloud services (like Microsoft 365) and restrict access to only validated connections. This helps eliminate the common VPN jump host vector attackers rely on.
  • Segment Your Networks 
    Use your firewall to isolate sensitive systems. Separate user traffic from management networks with tools like WatchGuard FireCloud, keeping your most privileged controls walled off.
  • Keep Firewalls Current
    A firewall isn’t a “set it and forget it” tool; it’s only as effective as its latest update. No matter which vendor you use, regularly updating firmware and security services ensures your defenses evolve alongside attackers. Neglecting updates leaves cracks in the wall that adversaries are quick to exploit. Modern tabletop firewalls, for example, are built to deliver strong protection, but only when they’re kept current.

If you’re a managed service provider (MSP) or cybersecurity partner supporting customers through this evolving threat landscape, helping them mature across these areas is no longer optional, it’s your differentiator. Whether you're building custom offerings or scaling a managed security practice, you shouldn't have to do it alone. 

What Real Security Looks Like 

The Akira case is both a glimpse into the future, and a warning about the present. You don’t just need better tools. You need a complete strategy that works in real life. 

At WatchGuard, we help both organizations and partners deliver Real Security for the Real World, built for imperfect environments, tight budgets, and complex demands. Our Unified Security Platform®, combined with 24/7 MDR services, helps you prevent, detect, and respond before attackers make the first move. Don’t wait to learn from your attacker. Take the first step toward stronger cybersecurity


If you want to learn more about Akira, don't miss our on-demand webinar here.

Filed under: Cybersecurity Trends, Cybersecurity Insights, Data Breach, Malware, Ransomware, Data Privacy, Risk Management, Detection & Response, Securing Endpoints, Managed Security, Security Operations Center (SOC), Distributed Enterprise, Unified Security Platform
Blog Home

Related Posts

Blog Home