Akira Ransomware Spotted Using LimeWire's File-Sharing Service for Data Theft

An Akira affiliate quietly built its own virtual machine inside a victim's network, switched off Microsoft Defender within minutes, and pushed stolen files out through Easyupload.io — a transfer tool owned by the once-famous file-sharing app LimeWire — before triggering its encryptor.

Ransomware crews are running out of obviously suspicious software to abuse, so they're reaching for whatever blends in. The latest example comes from a Huntress investigation published this week, which found an Akira ransomware affiliate exfiltrating stolen corporate data through Easyupload.io, a drag-and-drop file transfer site that traces its ownership back to LimeWire — the same LimeWire that many people associate with shaky early-2000s peer-to-peer music downloads.

The twist isn't just the throwback branding. It's how the attacker got there in the first place, and how little effort they spent covering their tracks once inside.

How the Attack Was Discovered

According to Huntress, the incident was detected on May 29 after the company's SOC identified unauthorized remote access to a domain controller belonging to one of its partner organizations. The compromised endpoint was pulled offline almost immediately, which limited visibility into exactly how the attacker first got in. Investigators instead reconstructed the rest of the intrusion using endpoint telemetry, Windows event logs, browser artifacts, and forensic analysis of a virtual hard disk file the attacker left behind.

That last detail — a virtual hard disk, or VHDX file — turned out to be the most useful piece of evidence in the entire case.

A Rogue Virtual Machine as a Staging Ground

Once inside the environment, the threat actor accessed the victim's hypervisor and created an entirely new virtual machine, using it as a staging location from which to launch the Akira ransomware. Because this VM had just been created, it never inherited any of the security tooling running elsewhere on the network, including the Huntress agent itself. In effect, the attacker built a private, unmonitored room inside the victim's own data center.

Huntress called this approach unusual. The technique isn't unheard of, but it's rarely observed by the Huntress SOC, and rarer still among Akira affiliates specifically. Analysts mounted the VHDX file through Windows Disk Management and examined the volume with forensic tooling, which is what exposed the attacker's full sequence of actions.

That sequence moved fast. Within minutes of logging into the new VM, the attacker disabled Microsoft Defender — the only default security tool present — before doing anything else. From there, they reached into shares and folders on other endpoints and installed WinRAR, the same archiving tool seen in the earlier stage of the intrusion on the original compromised machine.

Active Directory Recon and the Akira Toolkit

Before any of the VM activity, Huntress had already caught the attacker doing groundwork on the initial endpoint. The attackers conducted Active Directory reconnaissance, opening files named AdUsers.txt and AdComp.txt to review information on domain users and computers. They then moved laterally to a file server, where they used WinRAR to archive data and WinSCP to begin transferring files off the network.

Inside the new VM, investigators also found an archive holding multiple cross-platform builds of the Akira encryptor. The attacker picked one executable and renamed it simply akira.exe, stripping away any version-specific labeling before deployment — a small step, but one that shows this was a deliberate, prepared move rather than an improvised one.

Why LimeWire's Easyupload.io Was the Exfiltration Tool of Choice

The most striking artifact in the case came from browser history on the attacker-created VM. Using Microsoft Edge, the attacker searched Bing for the misspelled term "eayupload" before landing on Easyupload.io, a straightforward drag-and-drop file transfer service. Huntress assesses this was the likely channel used to move the staged archives off the network. Shortly after visiting the site, the attacker launched akira.exe against the mounted shares — meaning the data theft and the encryption event happened back to back, within the same short window.

Easyupload.io is operated by LimeWire, a brand most people over thirty remember as a notoriously malware-riddled music-sharing client from the Napster era. LimeWire shut down in 2010 after a copyright lawsuit, then resurfaced years later as an NFT marketplace before pivoting again into AI tools and file-sharing services. None of that history makes the site itself malicious — it's a legitimate consumer product. The problem is that it's exactly the kind of ordinary-looking destination that doesn't raise flags on a corporate firewall the way a known exfiltration tool might.

That's the real lesson here, and Huntress frames it as part of a broader pattern. The use of Easyupload.io and LimeWire joins a long list of data exfiltration methods threat actors rely on, including legitimate backup utilities and cloud storage services. Akira and other ransomware-as-a-service crews have previously been observed abusing tools like Restic, MegaSync, RClone, and even Windows' built-in finger.exe utility for the same purpose: moving stolen data through channels that look routine.

Who Is Akira, and Why Does This Matter?

Akira is a ransomware-as-a-service operation that first emerged in March 2023 and has since become one of the more prolific groups in the space, frequently mentioned alongside LockBit and RansomHub. By late 2025, the group had collected more than $244 million in ransom payments and claimed hundreds of victims across manufacturing, healthcare, education, financial services, and IT. Akira runs on a double-extortion model: steal the data first, encrypt the network second, then threaten to leak the stolen files if the victim doesn't pay.

That order of operations is exactly what played out in this case, and it's why the exfiltration step — not just the encryption — deserves equal attention from defenders. Coretelligent data cited by ConnectWise shows only about 25% of victims now agree to pay ransoms, the lowest rate in three years, which is pushing groups like Akira to lean even harder on data theft as their primary leverage. If paying for a decryption key is increasingly off the table for victims, the threat of a public data leak becomes the main bargaining chip — making exfiltration channels like Easyupload.io more central to the attack, not less.

Defensive Takeaways for IT and Security Teams

Huntress's own guidance for organizations centers on two blind spots this incident exposed: hypervisor-level visibility and the assumption that new infrastructure is automatically trusted. The company notes that this incident underscores the need to monitor environments for unusual or malicious access, and to watch for the addition or creation of new endpoints within the environment.

A few concrete steps follow directly from how this attack unfolded:

• Alert on hypervisor changes. Any new VM creation outside of change-management workflows should trigger an immediate review, especially on production hosts.
• Treat Defender being disabled as a critical event. Microsoft Defender turning off without an approved change ticket is one of the clearest early indicators of an active intrusion.
• Watch for WinRAR and WinSCP on file servers. Neither tool is inherently malicious, but unexpected archiving and transfer activity on shares warrants investigation.
• Restrict outbound traffic to unsanctioned file-sharing domains. Easyupload.io, Mega, and similar consumer-grade transfer sites have no legitimate business reason to be reachable from most corporate file servers.
• Don't assume new infrastructure is safe by default. Endpoint security agents need to be part of provisioning, not bolted on after the fact.

Frequently Asked Questions