Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise

Unit 42 recently assisted a global data storage and infrastructure company that experienced a destructive ransomware attack. This attack was orchestrated by Howling Scorpius, the distributors of Akira ransomware. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a 42-day (yes, we see the irony, too!) compromise that exposed critical gaps.

This incident underscores the fact that having security tools deployed is not the same as having security coverage with full visibility into your environment.

The Attack: From Car Shopping to Corporate Crisis

The attack began when an employee in the one division visited a compromised car dealership website. What looked like a standard bot verification — the familiar "click to prove you're human" prompt — was actually a ClickFix social engineering tactic. ClickFix disguises malware delivery as legitimate security checks, tricking users into downloading malicious payloads while believing they're simply verifying their identity.

When the employee interacted with the fake CAPTCHA, they unknowingly downloaded SectopRAT malware, giving Howling Scorpius their foothold. SectopRAT is a .NET-based remote access Trojan (RAT) that enables attackers to hide their code. It allows attackers to remotely control an infected system in order to monitor activity, steal data and execute commands in stealth mode.

The group established a backdoor on a server for command and control before conducting reconnaissance to map the virtual infrastructure. They compromised multiple privileged accounts, including domain admins and other privileged accounts, moving laterally using these protocols:

• Remote desktop protocols (RDP)
• Secure shell (SSH)
• Server message block (SMB)

Over 42 days, the threat actors accessed domain controllers and staged massive data archives using WinRAR across multiple file shares. They pivoted from one business unit domain into the corporate environment and ultimately into cloud resources — boundaries that should have contained them.

Before deploying ransomware, they deleted the CSP’s storage containers that contained backups and compute resources, and exfiltrated nearly 1 TB of data using FileZillaPortable. Then, they deployed the Akira ransomware across servers in three separate networks. As a result, virtual machines went dark, operations stopped and the ransom demand arrived.

The Security Paradox: Logging Without Alerting

In this incident, the client had deployed two different enterprise-grade EDR solutions across their environment. These tools recorded the malicious activity in their data logs — every suspicious connection, every lateral movement, every file staged for exfiltration — but they generated very few alerts.

The security team had visibility in theory but not in practice. While the logs held a complete record of the attack, the lack of alerts led to that data staying hidden in plain sight until it was too late. This mirrors a broader trend we uncovered in our investigations and highlighted in the 2025 Global Incident Response Report: In 75% of the incidents we analyzed, clear evidence of malicious activity existed in the logs but went unnoticed.

How Unit 42 Helped

The company called Unit 42 and we responded immediately by deploying our investigation toolkit, including Cortex XSIAM, across the environment to establish comprehensive visibility. Our investigation involved data stitching across multiple sources, including:

• Server and cloud logs
• Deployed security tools
• Cloud and and SecOps environments
• Firewall traffic
• SIEM data

to provide a clear picture of the attacker’s movements.

We reconstructed the complete attack path and provided critical recommendations, including:

• Network security: Implement network segmentation to isolate critical infrastructure, restricting administrative access to dedicated management VLANs and upgrading perimeter appliances.
• Identity and access management: Rotate all credentials, roll the Kerberos Ticket Granting Ticket (TGT) service account (KRBTGT) to invalidate golden ticket attacks, and implement stricter controls on privileged accounts.
• Endpoint and infrastructure hardening: Deploy properly configured detection across all systems, eliminate end-of-life systems, and maintain current patch levels.
• Cloud security: Strengthen cloud security posture with proper monitoring and backup strategies.

Our team also engaged directly with the threat actors for ransom negotiation, ultimately securing proof of exfiltration and negotiating the initial demand down by approximately 68%.

The Outcome

Through our partnership with a trusted remediation specialist, the client achieved comprehensive recovery:

• Infrastructure rebuilt: Servers and domain controllers were rebuilt with hardened configurations.
• Enhanced visibility: The client deployed Cortex XSIAM for unified security operations, providing the alerting capabilities that were missing during the attack.
• Continuous monitoring: The client onboarded Unit 42 Managed Detection and Response (MDR) services for expert around-the-clock threat monitoring.
• Strategic guidance: We provided tailored recommendations addressing the specific weaknesses exploited in this attack.

The Takeaway

This Howling Scorpius attack reveals how modern threat actors exploit the gaps between security investment and effectiveness. The client had invested in enterprise security tools, but configuration gaps, incomplete deployment and missing alert rules created blind spots that attackers navigated with ease.

The ability to move from one domain to another, all while security tools logged and generated very few alerts, demonstrates why comprehensive visibility and properly tuned detection are non-negotiable. Security teams need more than data collection; they need systems that actively identify and stop threats.

Forty-two days is a long time. When attackers have that much time to operate undetected, they will find your most valuable assets, compromise privileged accounts and position themselves for maximum impact. The question is whether security programs can see and thwart groups like Howling Scorpius before they strike.

Interested in learning more about the latest attack trends? If so, take a look at our 2025 Unit 42 Global Incident Response Report.

Additional Resources

• Nine Stories of Unit 42 in Action
• The State of Cybersecurity Incident Response
• 42 Tips on Your Road to Cyber Resilience

About Unit 42

Unit 42 strengthens your team with the tools and expertise needed to stay ahead of threats and protect your business. With our proven strategies and insights from thousands of engagements, we’ll help your team handle the toughest situations with confidence.