Akira Ransomware Killchain

This diary-style forensic write-up reconstructs an Akira ransomware kill chain observed at a mid-sized organization using only perimeter SSLVPN syslog and Windows EVTX logs. The attacker used credential-stuffing against a local VPN account, performed discovery (nltest/net/whoami/AdFind-like tooling), executed Kerberoasting, moved laterally via RDP to obtain domain privileges, cleared logs and stopped defenses, deleted shadow copies, and encrypted data; the report includes concrete detection/hunting recommendations and ATT&CK mappings.