Latest Update  

The Akira ransomware group has been active since March 2023, targeting diverse industries across North America, the UK, and Australia. Operating as a Ransomware-as-a-Service (RaaS) model, Akira employs a double-extortion strategy by stealing sensitive data before encrypting it. According to their leak site, the group claims to have compromised over 350 organizations. 

From November 13 to 14, the Akira ransomware group posted over 30 new victims on their data leak site, marking their highest single-day total since they began operations in March 2023. This milestone represents a record-breaking escalation in their activities and the volume of leaks shared in one day.  

The Akira ransomware blog is organized into five sections. The “Leaks” section lists victims who refused to pay the ransom, leading the group to publicly release their encrypted data. The “News” section highlights new victims, likely organizations currently engaged in ransom negotiations. 

In the ‘Leaks’ section we’ve seen 3 victims that already been published on the ‘News’ section, and 29 new ones. In the ‘News’ section, we’ve seen 3 new victims. Which basically means that 32 new victims were published in the group’s DLS, and three more refused to pay the ransom and were added to the ‘Leaks’ section.  

Who are the victims?  

Of the 35 total posts, 25 originate from the United States. Canada accounts for two, while the remaining posts come from Uruguay, Denmark, Germany, the United Kingdom, Sweden, the Czech Republic, and Nigeria. 

The Business Services sector is the most frequently targeted, with 10 organizations affected. Other impacted industries include Manufacturing, Construction, Retail, Technology, Education, and Critical Infrastructure. 

These findings align with trends observed over the past two years, where the United States remains Akira’s primary target, and Business Services continues to lead as the most targeted sector globally. 

Similar Incidents from the Past 

Akira is not the only ransomware group to post such a large number of victims in a single day. For instance, on May 6, 2024, LockBit released details of 57 new victims on their recently launched data leak site within just one hour, followed by two more victims on May 7. This highlights a growing trend among ransomware groups to escalate their operations and exert pressure through mass disclosures. 

From that moment the activity of the Lockbit group decreased, where the main hit was in February at Operation Cronos, where Law enforcement dismantled LockBit’s infrastructure, including 34 servers hosting the data leak site and its copies, along with stolen victim data, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel. 

Does this mean that Akira is shooting their last bullet in the barrel? 

Probably not.  

So what’s next?

In April, Akira made headlines after the Cyber security and Infrastructure Security Agency (CISA) and the FBI reported the group had earned $42 million from 250 attacks since March 2023, averaging $3.5 million in monthly revenue. 

Akira remains a dominant player in the ransomware landscape, targeting hundreds of victims worldwide. Its activity is expected to grow further, especially after achieving a record-breaking month in the number of victims and surpassing the total attacks for 2023 in just a few months. This highlights their aggressive and expanding operations in the cyber crime ecosystem. 

Published November 2023:

One of the ransomware rising stars (or should we say villians) of 2023 has been Akira. They show no sign of slowing down in 2024, see below. Akira was first discovered in March 2023 and since then they have  already compromised at least 63 victims. Interestingly, Akira is offered as a ransomware-as-a-service and preliminary research suggests a connection between the Akira group and threat actors associated with the notorious ransomware operation Conti.

This ransomware, identified as having an impact on both Windows and Linux systems, operates by exfiltrating and encrypting data, coercing victims into paying a twofold ransom to regain access and restore their files.

The collective responsible for this ransomware has already directed its attention towards numerous victims, with a primary focus on those situated in the U.S. Furthermore, the group operates an active leak site for the Akira ransomware, where they publish information, including their latest data breaches.

Akira Victimology

The ransomware has steadily built up a list of victims, targeting corporate networks in various domains including education, finance, real estate, manufacturing, and consulting.

The group has taken credit for several high-profile incidents — including attacks on the government of Nassau Bay in Texas, Bluefield University, a state-owned bank in South Africa and major foreign exchange broker London Capital Group.

Most recent attacks include Gruskin Group and Healix in the beginning of October and QuadraNet Enterprises, Southland Integrated Services, Visionary Integration Professionals and Freeman Johnson towards the end of October.

In January Akira claimed a significant victim in Sweden, Tietoevry, specialists in cloud, data, and software. They serve 1000s of enterprise and public-sector customers in more than 90 countries. One of Tietoevry’s datacenters was hit impacting a limited group of customers, despite being isolated immediately.

“The malicious attack based on Akira ransomware on one of our datacenters in Sweden took place during the night of January 19-20. Tietoevry takes the situation very seriously and has an extensive team of experts and technicians working around the clock to minimize the impact and restore services.” said Tietoevry.

On October 27th Akira claimed to have stolen 430GB of data from the Stanford University systems. Stanford university responded with this response: “The security and integrity of our information systems are top priorities, and we work continually to safeguard our network, we are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted.”

“Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured.

“Our privacy and information security teams have been giving this matter their concerted attention, in coordination with outside specialists. The investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community.”

The group continue attack different organizations worldwide, from different sectors, but the majority of victims as of now have been in the USA, followed by the UK and Australia.

Akira Malware, Toolset & TTPs

In almost all instances of intrusion, the malicious actors capitalized on compromised credentials to gain their initial foothold within the victim’s environment. Particularly noteworthy is the fact that most of the targeted organizations had neglected to implement multi-factor authentication (MFA) for their VPNs.

While the exact origin of these compromised credentials remains uncertain, there’s a possibility that the threat actors procured access or credentials from the dark web.

Code Similarities and Overlap with Conti

The practice of identifying code overlap among distinct ransomware variations often enables analysts to trace activities back to a specific group, given that ransomware source code is closely guarded by threat actors. However, the leaking of Conti’s source code has led to multiple threat actors utilizing this code to construct or adapt their own, making it considerably more challenging to attribute actions back to the original Conti threat actors.

Although there are differences between the two ransomware variants, Akira ransomware does exhibit certain resemblances to Conti ransomware. Akira shares similarities in its approach to disregarding the same file types and directories as Conti, and it also incorporates comparable functions. Additionally, Akira employs the ChaCha algorithm for file encryption, which is implemented in a manner similar to that of Conti ransomware

Akira Origin and Affiliates

In a minimum of three distinct instances, the actors behind the Akira ransomware directed complete ransom payments to addresses associated with the Conti group; the cumulative value of these transactions exceeded $600,000 USD. Subsequently, we noted that all Conti-associated addresses participated in transactions with a set of common intermediary wallets. These intermediary wallets were employed to either withdraw funds from the ransom payments or facilitate fund transfers within the group.

Of particular interest, two of the Conti-linked wallets engaged in transactions with wallets linked to Conti’s leadership team. Notably, one of these wallets hosted addresses designated for collecting ransom payments spanning multiple ransomware families.

Community

Akira groups uses their official DLS (data leak site) to post data on their victims and updates regarding the group’s activity.

Although Akira could be considered in its infancy, the indications of its links to Conti and the increasing volume of attacks mean it is one to watch.

To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.