By Charles Swihart, Founder and CEO, Preactive IT Solutions
As the Founder and CEO of Preactive IT Solutions, a Houston- and Austin-based Managed IT Services provider specializing in the construction and engineering industries since 2003, I’ve spent over 30 years fortifying small and medium-sized businesses against evolving cyber threats.
Our process-driven approach ensures we audit systems, prioritize risks, and execute tailored solutions that minimize downtime and keep projects on track. This allows our clients to focus on delivering results—on time and on budget—while enjoying enterprise-level IT without the enterprise overhead.
In my Amazon best-selling book, On Thin Ice, and through speaking at industry conferences, I’ve long warned about the growing ransomware threat. The recent escalation of Akira ransomware attacks, however, demands urgent attention—especially for construction and engineering firms that manage sensitive blueprints, intellectual property, and strict regulatory compliance.
As of late 2025, Akira has extorted more than $244 million since emerging in March 2023, and a November 13, 2025 joint advisory from the FBI, CISA, and international partners now labels it an “imminent threat” to critical infrastructure.
The Akira Ransomware Evolution: Faster, Smarter, Deadlier
Akira began as a typical Ransomware-as-a-Service operation with Russian-speaking affiliates (Storm-1567, Howling Scorpius) and ties to the disbanded Conti group. What started as a C++ encryptor appending “.akira” has evolved into Rust-based “Megazord” and the Linux-targeted Akira_v2, which now hits VMware ESXi, Hyper-V, and—since June 2025—Nutanix AHV environments via CVE-2024-40766 in SonicWall firewalls.
Recent CISA updates reveal Akira can exfiltrate data in under two hours, often exploiting the chaos of mergers and acquisitions. One Palo Alto Unit 42 investigation detailed a 42-day compromise triggered by a fake CAPTCHA, ending with Akira shutting down virtual machines across three networks and halting global operations.
The playbook: double-extortion (encrypt + leak), rapid data theft, and ruthless targeting of backups. Over 250 organizations were hit by early 2024, with extortion totals climbing to $244 million by September 2025.
Why Construction & Engineering Firms Are Prime Targets
- Remote job sites rely on VPNs and rugged devices—often unpatched and lacking multi-factor authentication.
- Large CAD/BIM files, Procore collaboration, and IoT equipment trackers are high-value data for extortion.
- Regulatory exposure (Texas building codes, CUI markings, GDPR on international bids) turns a breach into fines and lost contracts.
- M&A activity in our space frequently leaves legacy systems exposed during integration.
A single Akira incident can lock Revit files, freeze Procore access, ground drones, and delay permitting—costing thousands per hour in overruns and reputational damage.
A Battle-Tested Defense Blueprint (What We Actually Deploy)
1. Lock Down Initial Access
Mandatory MFA on every VPN, RDP, and remote tool (Akira brute-forces 80% of its entries).
Immediate patching of edge devices—especially SonicWall CVE-2024-40766 and Cisco flaws.
Network segmentation so job-site tablets can’t reach critical file servers.
2. Detect & Kill Persistence Fast
Endpoint Detection & Response (EDR) with real-time monitoring for Ngrok tunnels, SystemBC RATs, and anomalous RDP.
Immutable, air-gapped backups tested quarterly—Akira_v2 loves deleting or encrypting backups first.
AI-assisted anomaly detection on large file transfers (flags exfiltration in minutes, not days).
3. Make Data Unprofitable to Steal
Data Loss Prevention (DLP) rules on AutoCAD, Revit, and Procore exports.
Encryption at rest and in transit for all project folders.
3-2-1 backup strategy with off-site immutable copies.
4. Recover Without Paying
Documented, rehearsed incident-response playbooks tailored to construction workflows.
Cyber insurance with strong ransomware coverage and pre-approved forensic partners.
24/7 help desk with sub-1-hour response and sub-4-hour resolution SLAs.
| Akira Tactic | Construction/Engineering Impact | Preactive Countermeasure |
| Brute-force VPN | Site-to-office blackout | MFA + Zero-Trust Access |
| SonicWall CVE-2024-40766 | Firewall breach & IP theft | Automated patching & segmentation |
| Nutanix/ESXi encryption | Locked VMs = project standstill | Immutable backups + EDR |
| Rapid data exfiltration | Compliance fines & leaked bids | DLP + AI monitoring |
These layers have reduced breach risk by more than 70% for our clients and earned us the 2024 MSP Titan award, specifically for excellence in construction and engineering IT.
Your Next Step
Akira isn’t slowing down, but neither are we. If you’re in Austin or anywhere in Texas, let’s make sure your next big project isn’t derailed by ransomware.
Schedule a no-cost risk audit with our Austin IT Services team today at preactiveit.com/bookcall or connect with me directly on LinkedIn.
The best time to harden your defenses was yesterday. The second-best time is right now.
Charles Swihart
Founder & CEO, Preactive IT Solutions
2024 MSP Titan | Houston Business Journal Best Places to Work | Author of On Thin Ice