Akira Ransomware Locks Up a Hong Kong Maritime Investment Group After Criminals Walk In Through a VPN Account With No MFA

‍

Containing an Akira Ransomware Attack at a Hong Kong Maritime Investment Group in July 2025

‍

CHALLENGE

A “routine login” that turned into a business shutdown

For non-technical teams, ransomware often looks like “files are suddenly unusable” or “systems are down”. But the real crisis is what follows:

• Operations stall because staff cannot access systems they rely on.
• Leaders need quick, defensible answers for customers, vendors, insurers, and internal stakeholders.
• If the attacker still has access, recovery efforts can be undone — or hit again.

In this case, Akira ransomware impacted multiple servers and disrupted access to business-critical systems.

“Valid credentials” is the hardest kind of break-in to spot quickly

The investigation confirmed the attacker used a legitimate VPN login for an account without MFA, and there were no failed login attempts — consistent with a criminal using a password they already had, rather than noisily guessing one.

That matters because when criminals “walk in with a key,” it can look like normal remote work unless:

• MFA is enforced,
• VPN access is tightly restricted, and
• suspicious logins are monitored with enough retention to investigate properly.

‍

SOLUTION

1) Rapid investigation to confirm the route in, and the route out

Blackpanda’s incident responders focused on establishing what could be proven quickly:

• How initial access occurred (and whether that access path was still open)
• Which systems were affected
• Which credentials were exposed and needed urgent resets
• What to prioritise first so recovery is safe and does not invite repeat attacks

2) Reconstructing the attacker’s chain: entry — escalation — encryption

Blackpanda reconstructed a clear sequence consistent with a structured ransomware operation:

• Initial access: confirmed SSL VPN login using valid credentials on an account without MFA
• Credential harvesting: Veeam Backup & Replication credentials were obtained
• Lateral movement: access expanded into higher-value systems, including Active Directory components
• Impact: Akira ransomware executed across multiple servers, with ransom note artefacts observed

3) Immediate hardening actions to reduce repeat risk

After the incident, the organisation implemented measures designed to prevent the same playbook from succeeding again:

• EDR rollout to strengthen detection and response visibility (consider compromise assessment for validation)
• Credential resets including privileged accounts
• Google Workspace password resets
• Firewall replacement to improve perimeter defence

(If you need incident support during an active event, see emergency incident response.)

‍

RESULTS

1) A defensible narrative leadership could act on

Instead of “we think,” the organisation received an evidence-led explanation of:

• how the attacker entered,
• how access spread inside the environment, and
• what controls needed to change to reduce repeat risk.

2) Clear scoping of impact across systems

The investigation documented ransomware artefacts and encryption behaviour across multiple systems, helping the organisation prioritise recovery efforts and stakeholder communications with clarity.

3) Practical prevention steps aligned to what was actually abused

The post-incident actions — EDR, credential resets, and perimeter hardening — addressed the attacker’s proven access paths, reducing the chance of re-entry using the same credentials or VPN routes.

‍

FAQ: Akira ransomware, VPN entry, and business risk

Q1. How did the attacker get in?
The investigation confirmed initial entry occurred via a valid SSL VPN login to an account that did not have MFA enabled, consistent with stolen or reused credentials being used successfully.

Q2. Why does “valid credentials” matter to business leaders?
Because it means attackers can bypass many “traditional” defences. If the attacker logs in like an employee, the intrusion can remain hidden until the damage is done.

Q3. Why target Veeam or backup tooling?
Backup tooling often holds powerful credentials and visibility into infrastructure. If criminals obtain backup credentials, they can accelerate lateral movement and weaken recovery options.

Q4. What should be reset first after ransomware?
Prioritise VPN accounts, privileged admin accounts, and any systems that could enable persistence.

Q5. What are the fastest controls to reduce repeat risk?
Enforce MFA on all remote access, restrict VPN access by least privilege, deploy consistent monitoring, and improve log retention so investigations have evidence when it matters.

‍

What this means for you

Ransomware doesn’t always start with a dramatic “hack.” Often it begins with one compromised password — and from a leadership perspective, that’s the hardest scenario because it looks like normal access until systems stop working.

If your organisation relies on VPN access for staff or vendors, this case reinforces three business-first lessons:

• MFA is not an IT nice-to-have — it’s the difference between a stolen password becoming an inconvenience or a company-wide crisis.
• Backups alone do not guarantee safety — if attackers can access backup tooling or privileged accounts, they can sabotage recovery.
• Speed matters, but so does proof — recovery decisions should be based on what’s confirmed (scope, access paths, credential exposure), not guesswork.

Blackpanda’s incident responders help teams contain fast, validate scope with evidence, and harden the routes criminals actually used — so recovery sticks and repeat attacks are less likely.