Ransomware gang Akira leaks unprecedented number of victims’ data in one day

Akira, a ransomware-as-a-service gang with a growing profile in the cybercrime underworld, has published a record number of new victims to its darknet leak site in a single day, with 35 published on Monday as of writing, and more apparently still being added.

The criminals, who offer a platform to hackers to enable them to extort victims by stealing and encrypting data, emerged in March 2023 according to the FBI. In its first year of operations, Akira made $42 million from around 250 attacks, the agency said.

The group’s large number of attacks shortly after emerging led experts to believe it is made up of experienced ransomware actors, and it claimed a steady stream of incidents last year, including an attack on cloud hosting services provider Tietoevry. 

Named after the Japanese cyberpunk manga, the gang’s leak site is styled like the command line interface on a monochrome computer popular in the 1980s. It contains a “news” section used to extort recent victims and a “leaks” section where data is published if the extortion process fails.

Cybersecurity researchers have observed dozens of new victim listings being added to the “leaks” section on Monday, an unprecedented dump of stolen material. Adi Bleih, a cybersecurity researcher at Cyberint, told Recorded Future News that of “the 35 victims, I can see that 32 are absolutely fresh, while three [of the postings on the ‘leaks’ section] were previously on the ‘news’ section.”

Ransomware groups usually offer victims a few days or weeks to pay the ransom before publishing the stolen data, depending on negotiations. Akira published less than usual between August and October, according to Bleih’s review of the leak site data.

While speculation on social media suggested the dump felt “like a bit of a big sale before definitive closure,” Bleih said Akira was “probably not… shooting their last bullet in the barrel,” but showing off “their aggressive and expanding operations in the cybercrime ecosystem.”

There could be a number of causes for the sudden surge in listings, Bleih added, from an increased number of new affiliates using the scheme to extort victims through to the Akira administrators choosing to hold back previous leaks.

“It could depend on how they [the Akira administrators] woke up this morning. But this is very odd — 35 organizations, 32 new ones — I’m not sure that we’re going to see anything like it from ransomware groups.”

Even as Bleih spoke to Recorded Future News, another victim was uploaded to the ‘leaks’ section of the Akira site. This has not been added to the count above as it has not yet been verified as a new publication.

The majority of the new victims are from the business services sector and based in the United States. Two firms were based in Canada, with others coming from Germany, the United Kingdom and elsewhere. Recorded Future News has reached out to several of the listed companies, but did not receive responses by the time of publication.

A similar volume of victims was posted by LockBit earlier this year in an attempt to downplay being compromised by law enforcement, but LockBit “took old victims and mixed them up with new victims after their old site was seized,” said Bleih.

According to the United Kingdom’s National Crime Agency, many of the victims that LockBit listed were old compromises being reposted, while others were either fake or misattributed attacks allegedly impacting a large enterprise when in fact they had only affected a very small subsidiary.

“But here it just popped up from nowhere, they just decided to publish 32 victims” said Bleih of the Akira leaks. “I reviewed the data and cross-referenced the victims' names with all ransomware groups tracked over the past years. This analysis led me to conclude that these are new victims appearing for the first time, along with the attackers resume."