Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America's Most Critical Network Infrastructure

$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can't Keep Cisco Firewalls Patched

Executive Summary

While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for both Akira ransomware's $244 million campaign and sophisticated Chinese nation-state espionage operations.

Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial Services

A comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers Executive Summary In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal and

Breached CompanyBreached Company

The scale of the problem is staggering:

• Approximately 48,000 unpatched Cisco ASA/FTD appliances remain internet-facing as of November 2025
• Akira ransomware has specifically weaponized multiple Cisco CVEs for initial access
• Chinese APT groups (UAT4356/Storm-1849) have been exploiting Cisco zero-days since 2024
• Federal agencies themselves struggle to patch vulnerable Cisco devices, prompting emergency CISA directives
• 60% of all cyber incidents in 2024 involved identity-based attacks exploiting VPN weaknesses—primarily Cisco products

This isn't theoretical. The Congressional Budget Office was breached through unpatched Cisco firewalls during the 2025 government shutdown. KNP Logistics—a 158-year-old company—was destroyed when Akira ransomware exploited weak Cisco VPN credentials. The arcanedoor campaign deployed sophisticated persistent malware on Cisco ASA devices that survives reboots and upgrades.

The uncomfortable truth: Cisco's ubiquity has made it the most valuable target in the ransomware ecosystem, and Akira has figured out exactly how to exploit it at scale.

The Akira-Cisco Connection: $244 Million and Counting

Akira's Cisco-Focused Attack Strategy

Since emerging in March 2023, Akira ransomware has generated approximately $244.17 million in ransom proceeds as of September 2025, establishing itself as one of the most financially successful ransomware operations in history. What makes Akira particularly dangerous is its methodical targeting of Cisco products for initial access.

CISA's November 2025 Updated Advisory specifically calls out Akira's exploitation of multiple Cisco vulnerabilities:

Primary Cisco CVEs Exploited by Akira:

• CVE-2020-3259 (CVSS 7.5) - Information disclosure in Cisco ASA/FTD
• CVE-2023-20269 (CVSS 5.3) - Authentication bypass via alternate path
• CVE-2020-3580 (CVSS 6.1) - Cross-site scripting in Cisco ASA/FTD
• CVE-2024-37085 (CVSS 8.1) - Authentication bypass by primary weakness

The Attack Pattern:

1. Reconnaissance: Scan internet for exposed Cisco VPN endpoints
2. Initial Access: Exploit unpatched CVE or brute-force weak credentials
3. MFA Bypass: Use sophisticated VPN-specific techniques (push notification fatigue, session hijacking)
4. Privilege Escalation: Leverage Cisco-specific misconfigurations
5. Lateral Movement: Use RDP, AnyDesk, LogMeIn from compromised Cisco device
6. Data Exfiltration: Complete in as little as 2 hours from initial access
7. Encryption: Deploy Akira_v2 ransomware with .akira or .powerranges extension

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure Itself

How the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-day

Breached CompanyBreached Company

Real-World Impact: The KNP Logistics Case Study

The June 2024 collapse of KNP Logistics perfectly illustrates Akira's Cisco exploitation strategy:

Company Profile:

• Founded: 1865 (158 years of continuous operation)
• Industry: Transportation and logistics
• Employees: 730 staff members
• Status: One of the UK's largest privately owned logistics groups

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats Collide

Executive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentials

Security Careers HelpSecurity Careers

Attack Vector:

• Akira exploited a weak password on a Cisco VPN account (no MFA enabled)
• Brute-force attack successfully compromised employee credentials
• Attackers gained access to Cisco ASA SSL VPN endpoint
• Encrypted critical financial and operational systems

Outcome:

• Company entered administration (British bankruptcy equivalent)
• All 730 employees lost their jobs
• 158-year-old business destroyed in weeks
• Director Paul Abbott revealed he couldn't inform the employee whose password was compromised: "Would you want to know if it was you?"

Preventable Factors:

• No multi-factor authentication on VPN
• Weak password policy
• Unpatched Cisco ASA vulnerabilities
• No network segmentation
• Inadequate backup strategy

Financial Reality:

• Recovery costs exceeded available resources
• Loss of customer confidence prevented business continuity
• Already challenging market conditions made recovery impossible

This case demonstrates that Akira specifically targets small-to-medium enterprises (SMEs) with Cisco equipment and weak security postures—organizations that lack enterprise-level security teams but still deploy enterprise-grade Cisco infrastructure.

Akira's Targeting Profile

According to our analysis of October 2025 ransomware campaigns, Akira demonstrated clear victim preferences:

Industry Focus:

• Construction (primary target) - 35% of October victims
• Manufacturing - 28% of October victims
• Critical Infrastructure - 15%
• Education - 10%
• Retail and Technology - 12%

Geographic Distribution:

• United States - 70% of victims
• Italy - 10% (unusually high concentration)
• United Kingdom - 8%
• Other - 12%

Company Size:

• Mid-sized companies ($10M-$500M revenue)
• 100-5,000 employees
• Companies that "build or fix something"
• Organizations with Cisco networking equipment (ASA/FTD/VPN)

The Retro Aesthetic: Akira distinguishes itself with a 1980s-style "green screen" console interface on its Tor-based leak site, paying homage to the 1988 anime movie "Akira." Victims must interact with the site using text commands, creating an unsettling juxtaposition between nostalgia and modern criminality.

The Audacity Factor: In one documented negotiation, after settling for $200,000 from a $600,000 demand, Akira provided the victim with a security checklist—essentially offering "post-attack advice" on how not to get hacked again. This demonstrates the group's confidence and their understanding that weak Cisco configurations will continue providing targets.

The Chinese Threat: ArcaneDoor and Beyond

ArcaneDoor: The Most Sophisticated Cisco Exploit Campaign

In early 2024, Cisco discovered what would become known as ArcaneDoor—a sophisticated espionage campaign targeting Cisco ASA and Firepower Threat Defense (FTD) devices. Unlike ransomware operations focused on quick monetization, ArcaneDoor represents nation-state level capabilities aimed at long-term persistent access.