Akira ransomware:
13 Italian SMEs hit in a few months.

What is happening in Italy

CSIRT Italia, hosted by the ACN (Italian National Cybersecurity Agency), has recently published a bulletin on the ransomware campaigns attributed to the Akira group. Since the beginning of 2026, at least thirteen incidents have been confirmed on Italian soil, all against small and medium-sized enterprises across several sectors: manufacturing, services, logistics, retail. This is not an isolated phenomenon: it is a systematic campaign that exploits already-known vulnerabilities on perimeter devices.

The bulletin confirms a trend already highlighted in the Clusit Report 2026: Italy is among the most-targeted countries in Europe, and SMEs are the most frequent victims — not because of the value of a single ransom, but because of ease of access.

How the attack works

The attack cycle observed in the Italian cases follows a recurring four-phase pattern:

• 1Initial access— exploitation of known (n-day) vulnerabilities on perimeter firewalls and SSL VPN gateways reachable from the internet. In 2026 Italian cases, CSIRT observed a preference for some SonicWall models with outdated firmware, but the technique applies to any perimeter device with unpatched public CVEs.
• 2Reconnaissance and lateral movement— once inside, attackers map Active Directory, harvest cached credentials from workstations, compromise service accounts and pivot toward critical systems using legitimate tools (PowerShell, PsExec, RDP) to evade traditional antivirus.
• 3Data exfiltration— before encryption, Akira copies the most sensitive data out of the corporate perimeter: projects, financials, HR data, customer archives. Exfiltration fuels the double extortion model: ransom for the decryption key and additional ransom not to publish the data on the group's leak site.
• 4Encryption— deployment of the Akira payload on file servers, databases, virtualisation hosts and, wherever possible, online backups reachable with the same administrative credentials. At this point, production stops.

Why SMEs are the ideal target

The same conditions that make security hard for an SME are the ones that make it an easy target. Akira does not pursue strategic companies: it pursues companies with fragile perimeters. The recurring factors in the Italian victims are always the same:

• Irregular patch management— perimeter firewalls are updated rarely, often only when something breaks. Critical CVEs remain open for months.
• SSL VPN without MFA— remote access is still based on username and password alone. A stolen credential or a pre-auth vulnerability is enough to enter the network.
• No network segmentation— once inside, the attacker reaches servers, ERP and domain controllers from the same subnet as users, with no obstacles.
• Online backups with the same domain credentials— a backup exists, but it gets encrypted together with the rest. Without an offline or immutable copy, there is no recovery.
• Traditional antivirus instead of EDR— the tools Akira uses are legitimate Windows binaries. A classic antivirus lacks the context to notice lateral movement in real time.

What an SME should do today

No single control stops Akira: you need a set of layered controls, each weak on its own but effective when combined. The priority actions, ranked by impact, are the following:

• 1Patch firewalls and VPN gateways now— check open CVEs on perimeter devices and apply fixes within days of disclosure. If there is no process in place, start with a vulnerability assessment.
• 2Mandatory MFA on VPN and admin access— remove password-only access on SSL VPN, RDP and admin consoles. Integrate multi-factor authentication into your firewall and network security.
• 3EDR or XDR on every endpoint — replace traditional antivirus with an EDR or XDR solution capable of detecting anomalous behaviours (lateral movement, suspicious PowerShell usage, privilege escalation), not just known signatures.
• 4Offline or immutable backup— at least one copy of critical data must be unreachable with domain credentials. Immutable storage, offline tape, or a managed backup and disaster recovery service with a dedicated repository. Recovery must be tested at least once a year.
• 5Continuous monitoring and a CSIRT contact point— the difference between a contained incident and a disaster is reaction speed. An outsourced CSIRT ensures monitoring, NIS2 notification handling and coordination with the ACN in the event of an incident.

The NIS2 notification duty

For organisations within scope, a confirmed ransomware attack is a significant incident under the NIS2 Directive. The pre-notification to CSIRT Italia must be sent within 24 hours of discovery, the formal notification with technical details within 72 hours, and the final report within one month. Failure to comply exposes the organisation to fines of up to €10 million or 2% of global turnover. When an incident is in progress, there is no time to improvise: the process must be set up in advance.

A certified local partner

AtWorkStudio has been operating from Piacenza since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for cloud services. We are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster. We design and operate the defence of Italian SMEs end-to-end: patch management, network segmentation, EDR, immutable backups, continuous monitoring and outsourced CSIRT.