New research dives into the Akira ransomware group, including the group’s recent victim focuses, tactics and affiliation with Conti.

Key findings from the new threat intelligence research published by Arctic Wolf include:

  • Akira exfiltrates data before encrypting victim devices and leverages it to perform double extortion. Akira is likely an opportunistic ransomware group due to their victimology and negotiation tactics. In nearly every IR case investigated, the threat actors claim that they need time to review the exfiltrated data to determine a ransom demand.
  • Since March 2023, Akira ransomware has compromised at least 63 victims with approximately 80% of them being small to medium-sized businesses (SMBs).  
  • Through blockchain analysis, Arctic Wolf Labs assess with a high degree of confidence that some Conti-affiliated threat actors are linked to the Akira ransomware group. In some instances of pattern analysis, cryptocurrency address reuse between threat groups was observed, indicating the individual controlling the address or wallet has either splintered off from the original group or is working with another group at the same time.