Akira Ransomware: What Fort Worth Small Businesses Need to Know About the Updated CISA Advisory
Akira ransomware is not new, but it is not slowing down either. The group has been active since March 2023 and, according to the joint advisory that CISA, the FBI, HHS, and partner agencies updated in November 2025, has earned roughly $244 million in ransom payments to date. What matters for Fort Worth business owners is who Akira targets. The advisory is direct about it. The group focuses on small and medium-sized businesses, with regular hits on healthcare, manufacturing, professional services, food and agriculture, and financial sector firms. That is the entire client base we work with on a daily basis in this city.
If you run a 30-person home health agency in west Fort Worth, a manufacturing shop near Saginaw, or a professional services firm off University Drive, this is your threat profile. The updated advisory at AA24-109A lays out current Akira tactics and the specific defenses that work. This post translates that into something a non-IT business owner can actually use, with the Fort Worth context layered on top.
What the updated Akira advisory actually says
The group, the playbook, and the new variant
Akira operates as a ransomware-as-a-service program. The core developers maintain the malware, recruit affiliates, and split the ransom. The affiliates are the ones who break into networks. The model is industrial. It scales. The November 2025 update from CISA and partners adds new indicators of compromise, fresh details on how affiliates are getting in, and a description of a faster encryption variant called Akira_v2 that further inhibits recovery.
The reason this matters more than a typical CVE alert is the scale of who is being hit. Verizon's 2025 Data Breach Investigations Report found that ransomware was a factor in 44% of all data breaches it analyzed, up from 32% the year before. For small and mid-sized businesses specifically, extortion malware appeared in 88% of breach incidents, compared to 39% at larger organizations. The gap is wide because SMBs run leaner stacks. Smaller teams, fewer backups, less layered defense, less detection. That is the playing field Akira operates on.
How Akira gets in
The CISA advisory is specific about initial access. Akira affiliates rely on a small set of repeatable methods, and almost none of them require zero-day vulnerabilities or movie-grade hacking. The four most common entry points are:
1. Stolen VPN credentials, often obtained through spear phishing campaigns or purchased from initial access brokers
2. Brute force attacks against weak passwords, particularly on VPN services that do not enforce multifactor authentication
3. Compromised remote access services like RDP exposed to the internet
4. Known software vulnerabilities in VPN appliances and other internet-facing systems, particularly when patches have been available for months
That is it. Four doors. They are the same four doors we walk in through every time we audit a new client's environment and assess their exposure. Fixing them is not glamorous, but it works. For most Fort Worth businesses, an honest managed IT program plus a real security program closes all four doors. Without that, you are betting that a $244-million ransomware operation will not get around to you.
How to defend against Akira (the practical playbook)
The five things that actually move the needle
The CISA mitigations list is longer than what we are going to walk through here. We have culled it to the five controls that close the most doors for the least friction. If your IT provider has these in place, your Akira exposure is meaningfully lower than your neighbor's. If they do not, you are exposed regardless of what your invoice says.
1. Multifactor authentication on every remote access service, with no exceptions. Akira does not need fancy tools to compromise a VPN account if there is no MFA. The advisory specifically names VPN services without MFA as a primary entry vector. This is not about Microsoft 365 alone. It is about every VPN, every remote desktop gateway, every web-based admin portal, every cloud admin console. If any one of those is single-factor, that is the door.
2. A patching cadence that includes VPN appliances and backup servers. Most Fort Worth small businesses have an unwritten policy of patching workstations and email servers when convenient, and patching firewalls and backup servers when something breaks. Akira affiliates know this. They watch for unpatched VPN appliances the way deer watch for an open gate. Patching needs to be a calendared process with names attached. Our earlier post on the CISA KEV catalog covers how to use that list as a patching prioritization tool.
3. Endpoint detection and response (EDR) on every endpoint, including servers. Akira uses PowerShell, Windows Management Instrumentation, and tools like Ngrok to disable services and tunnel out. Traditional antivirus does not catch most of that activity. EDR does. It is the single biggest detection upgrade most Fort Worth SMBs can make. Endpoint management is the work behind it.
4. Backups that are immutable, segmented, and tested. Akira's job is to encrypt your data and your backups. If your backup system is reachable from the same network as your production environment using the same credentials, you do not have a backup. You have a copy that the ransomware will hit too. Real recovery means immutable storage, network segmentation, and quarterly restore tests where someone actually proves the data comes back.
5. Monitor for unauthorized domain account creation and unusual remote access patterns. Akira affiliates create new admin accounts inside Active Directory once they are in, and they tunnel out using common utilities. You cannot catch that with a quarterly review. You need logging, alerting, and somebody whose job it is to look. This is what 24/7 security monitoring is supposed to do.
What about cybersecurity insurance
Cybersecurity insurance is part of the answer, not all of it. Most policies now require MFA, EDR, immutable backups, and a security risk assessment before they will pay a claim. If you cannot prove you had the controls in place when you got hit, you can lose coverage. Insurance is a backstop, not a substitute for the work. We help Fort Worth clients align their security posture with what their carrier actually requires so a claim does not get denied later.
Worried about ransomware exposure? IT Integrations runs cybersecurity assessments for Fort Worth businesses across DFW, including healthcare practices, manufacturing shops, and professional services firms. Call (817) 808-1816 or request a free IT assessment.
The Fort Worth angle: why our market is on the radar
Fort Worth is the kind of place Akira affiliates like. The metro has a deep base of small and mid-sized healthcare practices, construction firms, manufacturers, and professional services firms. Most of them run on lean IT budgets. Many of them have a one-person IT shop or an outsourced provider who is stretched across thirty other clients. The home health and hospice sector is particularly exposed because compliance pressure has often been treated as a checklist exercise rather than an operational discipline, and that gap is exactly what ransomware affiliates monetize.
We see it in our audits of new clients. A home health agency in Hudson Oaks with a VPN appliance two firmware versions behind and no MFA. A manufacturer in Saginaw with backup software that uses the same domain admin credentials as the production environment. A law firm near Sundance Square with PowerShell unrestricted on every workstation because nobody ever locked it down. None of these are unusual. They are the default state of a small business that has not been audited recently. The CISA advisory describes exactly these conditions when it talks about how Akira gets in.
There is also a regional context worth naming. Texas has a large home health, hospice, and assisted living footprint, and ransomware against those organizations is treated as a HIPAA breach the moment patient data is encrypted or accessed. That is not a hypothetical. It is the HHS Office for Civil Rights breach reporting standard. A ransomware event at a Fort Worth healthcare practice is also a reportable incident with regulatory consequences. Our healthcare IT work is built around preventing that scenario, not reacting to it.
For the construction and manufacturing side, the operational impact is different but no less brutal. Field operations stop. Crews stand around. The bill is not just the ransom. It is every day the equipment does not move and every order that ships late.
What we see in the field after 20 years of doing this
When we walk into a new Fort Worth client engagement and audit the environment against the CISA Akira mitigations, we see the same patterns repeat. Most of them are not glamorous and most of them are fixable in 90 days.
Patching is the unsexy one. Patching gets neglected because nobody ever thanked an IT person for installing an update. But every Akira initial access vector that involves a known CVE is patchable. If the patching cadence in your environment is "when there is time," that is an Akira entry point. The fix is calendared, named, owned, and verified.
MFA gets configured almost everywhere except where it matters. We see Microsoft 365 MFA enabled, sometimes. We see VPN MFA missing, often. We see backup software with no MFA at all, almost always. Affiliates know which doors are locked and which ones are not. Closing the unlocked ones is not expensive. It just has to actually happen.
Backups look fine until someone tests them. "We have backups" is one of the most repeated and least verified sentences in small business IT. A backup is not a backup until it has been restored. Quarterly restore tests catch the dozen small misconfigurations that would otherwise quietly invalidate the entire recovery plan. We do this for clients because they ask, and because we know what happens when nobody does.
Domain admin sprawl. Akira loves global admin and domain admin accounts. So do prior IT providers, who sometimes leave themselves accounts on the way out. We have seen environments with multiple active admin accounts tied to people or vendors who left months earlier. Every one of those is an attack surface.
Logging without monitoring. Lots of small businesses have logs. Almost none of them have anyone looking. Akira affiliates establish persistence and tunnel out for days before deploying ransomware. If somebody is watching, you see it. If not, you wake up to a ransom note.
The good news is that none of these require a six-figure security budget. The work is operational. It is the discipline of doing the boring things consistently, which is what a real managed IT and security program actually delivers.
Frequently Asked Questions
How likely is my Fort Worth small business to be hit by Akira specifically?
Specifically by Akira, hard to say. Hit by some form of ransomware that uses the same playbook, much more likely than people think. The Verizon 2025 DBIR found extortion malware in 88% of small and mid-sized business breach incidents. The CISA advisory is written about Akira, but the controls it recommends defend against the entire ransomware-as-a-service ecosystem. The right way to read the advisory is not "am I an Akira target," it is "am I prepared for this category of threat." Most Fort Worth SMBs are not, yet, and that is a fixable problem.
Our IT provider says we are protected. How do we verify that?
Ask for three artifacts and a demonstration. The artifacts: your most recent security risk assessment with the date on it, a list of every account in your environment with administrative privileges, and proof that MFA is enforced on every remote access service including VPN and any web admin portal. The demonstration: a recent successful backup restore test, with the date and what was restored. If a provider cannot produce those four things within a week, the security posture they are charging for may exist on paper but not in operations. This is the "compliance on paper versus actual compliance" gap we see constantly during transition audits.
We are a healthcare practice. Does Akira mean a HIPAA breach if we get hit?
The HHS Office for Civil Rights has been clear that a ransomware event is presumed to be a HIPAA breach unless the covered entity can demonstrate through a low-probability-of-compromise risk assessment that protected health information was not compromised. In practice, for most Fort Worth healthcare practices, a ransomware attack will be a reportable breach, with notification obligations to patients, HHS, and in some cases the media. The defense and the compliance work are the same work. Our HIPAA compliance and cybersecurity programs are designed around that overlap.
Do we really need EDR if we already have antivirus?
Yes, and the gap matters. Traditional antivirus catches known malware signatures. Akira affiliates use legitimate Windows tools like PowerShell, WMIC, and remote management utilities to do most of their work, then deploy the ransomware payload at the end. There is no signature for "an admin running PowerShell" because admins run PowerShell. EDR understands behavior in context. It catches the unusual sequence even when each individual action looks benign. For a small business, the cost difference between antivirus and managed EDR is real but modest. The detection difference is enormous.
If we get hit anyway, should we pay the ransom?
This is a business decision the owner has to make with input from legal counsel, the cybersecurity insurance carrier, the FBI, and the IT and forensics teams. There is no universal right answer. The Verizon DBIR reports that the median ransom payment fell to $115,000 in 2025, and that nearly two-thirds of victims now refuse to pay. The FBI's general position is not to pay because it funds further attacks and does not guarantee recovery. The right preparation is to be in a position where the answer can credibly be no, which means tested backups, an incident response plan, and a known forensics partner before the day you need one.
Next Steps
The updated CISA Akira advisory is not a reason to panic. It is a reason to look at the basics honestly. The five controls above are not exotic. They are the standard of care for a small or mid-sized business operating in 2026. The question to ask is not whether you have a cybersecurity program. The question is whether the program you are paying for has these five controls operational today, with proof.
If you want a clear, unhurried look at where your Fort Worth business stands against the Akira playbook, we will do it without a sales pitch. We will walk through what we find, in plain English, and you can decide what to do next.
Ready to find out where you stand? IT Integrations provides cybersecurity, managed IT, and HIPAA compliance work for Fort Worth businesses and the surrounding DFW area. Call (817) 808-1816 or schedule a free IT assessment today.