The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others. According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast. Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files. Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only). Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified. Source: [enlace omitido]
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
/*
Akira ransomware
*/
rule Akira
{
meta:
author = "rivitna"
family = "ransomware.akira.windows"
description = "Akira ransomware Windows payload"
severity = 10
score = 100
strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
$s6 = ":\\akira\\asio\\include\\" ascii
$s7 = "\x00write_encrypt_info error: \x00" ascii
$s8 = "\x00encrypt_part error: \x00" ascii
$s9 = "\x00Detected number of cpus = \x00" ascii
$s10 = "\x00No path to encrypt\x00" ascii
$s11 = "Paste this link - https://akira" ascii
$s12 = "\x00Trend Micro\x00" wide
$s13 = "Failed to make full encrypt" ascii wide
$s14 = "Failed to make spot encrypt" ascii wide
$s15 = "Failed to make part encrypt" ascii wide
$s16 = "Failed to write header" ascii wide
$s17 = "file rename failed. System error:" ascii wide
$s18 = "Number of thread to folder parsers = \x00" ascii
$s19 = "Number of threads to encrypt = \x00" ascii
$s20 = "Number of thread to root folder parsers = \x00" ascii
$s21 = "Failed to read share files!\x00" ascii
$h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
49 F7 F2 4C 8B C8
( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
48 8B C7 49 F7 F2 }
$h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }
condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}
Conversaciones de rescate divulgadas, con fines de estudio defensivo. Contactos, enlaces y wallets redactados.
Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - [redactado] 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - [redactado] 2. Paste this link - [redactado] 3. Use this code - [snip] - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.
Port Air Express Inc. specializes in reliable logistics and transport solutions, negotiating co mpetitive rates with airlines and shipping companies globally. Their services include domestic and international shipping, containerized shipping, breakbulk cargo handling, heavy lift operat ions, and customs clearance. We will upload 15gb of corporate data soon. Employee personal information (passports, DL scans, SSN cards and more), financial information payment details, credit cards, etc.
The Midland Theatre originally opened in December of 1928 in Newark, Ohio. The theatre draws te ns of thousands of visitors each year to a wide array of programming from family-friendly event s and holiday specials to top artists in every genre. We will upload corporate data soon. Employee personal information (w-9 forms and other docs), f inancials, credit cards, client, partners and guests information, NDAs, etc.
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Port Air Express | Transportation/Logistics | — | 10 jun 2026 | |
| The Midland Theatre | GB | Hospitality and Tourism | — | 10 jun 2026 |
| Associated Investor Services | Financial Services | — | 10 jun 2026 | |
| Spray Equipment & Service Center | Business Services | — | 9 jun 2026 | |
| Rockaway River Country Club | NJ | Hospitality and Tourism | — | 9 jun 2026 |
| SMPC Architects | Construction | — | 9 jun 2026 | |
| Centre Ellipse | Not Found | — | 9 jun 2026 | |
| HRC Sicherheitsdienste | DE | Business Services | — | 8 jun 2026 |
| Kennon Worldwide | Business Services | — | 5 jun 2026 | |
| Oaks Park | US | Consumer Services | — | 5 jun 2026 |
| T/CCI Manufacturing | Manufacturing | — | 5 jun 2026 | |
| National Standard Parts Associates | Manufacturing | — | 4 jun 2026 | |
| Northern Ohio Regional Multiple Listing Service | US | Business Services | — | 4 jun 2026 |
| Sunrise, Toscana Country Club, AndalusiaCountry Club. | ES | Hospitality and Tourism | — | 3 jun 2026 |
| Cherokee Distributing Co | US | Transportation/Logistics | — | 3 jun 2026 |
| Factors Western | Business Services | — | 3 jun 2026 | |
| Hal Otey Financial | Financial Services | — | 3 jun 2026 | |
| Schacht Law Office | Business Services | — | 29 may 2026 | |
| Interstate Roofing | US | Construction | — | 29 may 2026 |
| Healthtrax Fitness &Wellness | US | Consumer Services | — | 29 may 2026 |
| GS Yuasa Lithium Power | JP | Manufacturing | — | 28 may 2026 |
| INDESMALLA | AR | Manufacturing | — | 15 abr 2026 |
| Mh Soluciones | MX | Business Services | — | 12 mar 2026 |
| RECYCLA | MX | Manufacturing | — | 5 jun 2025 |
| DYNAMIS Insurance | GT | Financial Services | — | 25 abr 2025 |
| Dress To | BR | Consumer Services | — | 24 abr 2025 |
| Machu PicchuFoods | PE | Agriculture and Food Production | — | 21 abr 2025 |
| Agencia Browne y Espinoza | CL | Financial Services | — | 18 abr 2025 |
| D'Granel | BR | Transportation/Logistics | — | 16 abr 2025 |
| Helbor | BR | Construction | — | 26 mar 2025 |
| Plaza Brasília Hotéis | BR | Hospitality and Tourism | — | 25 mar 2025 |
| Machu Picchu Foods | PE | Agriculture and Food Production | — | 19 mar 2025 |
| Domina Entrega Total | CO | Transportation/Logistics | — | 14 mar 2025 |
| Adrenalina | MX | Consumer Services | — | 5 mar 2025 |
| Chimu Agropecuaria S.A. | PE | Agriculture and Food Production | — | 26 feb 2025 |
| Mac Jee | BR | Technology | — | 20 feb 2025 |
| Primaveras | BR | Consumer Services | — | 14 feb 2025 |
| mielectric.com.br | BR | Manufacturing | — | 4 feb 2025 |
| emin.cl | CL | Not Found | — | 4 feb 2025 |
| mipa.com.br | BR | Manufacturing | — | 4 feb 2025 |
| easycom.com | CO | Technology | — | 4 feb 2025 |
| alfa.com.co | CO | Telecommunication | — | 4 feb 2025 |
| 360energy.com.ar | AR | Energy | — | 4 feb 2025 |
| saludsa.com.ec | EC | Healthcare | — | 4 feb 2025 |
| garcesfruit.com | CL | Agriculture and Food Production | — | 31 ene 2025 |
| farmatodo.com | VE | Consumer Services | — | 31 ene 2025 |
| WorldNet Telecommunications LLC | PR | Telecommunication | — | 23 ene 2025 |
| Moinho Globo Alimentos | BR | Agriculture and Food Production | — | 14 ene 2025 |
| Capesesp | BR | Healthcare | — | 10 ene 2025 |
| Metalmatrix Clamps | BR | Manufacturing | — | 10 ene 2025 |
| Permoda | PA | Manufacturing | — | 9 ene 2025 |
| Los Andes | AR | Not Found | — | 6 ene 2025 |
| Rio Negro | AR | Consumer Services | — | 26 dic 2024 |
| A Geradora | BR | Energy | — | 17 dic 2024 |
| Diferencial Energia | BR | Energy | — | 16 dic 2024 |
| Corporación BJR | MX | Consumer Services | — | 10 dic 2024 |
| CAUDURO SPORTS LTDA | BR | Manufacturing | — | 29 nov 2024 |
| Thomas Greg & Sons Ltda | CO | Manufacturing | — | 29 nov 2024 |
| El Dorado Stores and Supermarkets | UY | Business Services | — | 14 nov 2024 |
| Xtrim TVCable | EC | Business Services | — | 14 nov 2024 |
| Imetame | BR | Manufacturing | — | 5 sept 2024 |
| Peñoles | MX | Energy | — | 1 ago 2024 |
| BRASPRESS | BR | Transportation/Logistics | — | 31 jul 2024 |
| Financoop | CL | Financial Services | — | 11 jul 2024 |
| Explomin | PE | Energy | — | 3 jul 2024 |
| Salton | BR | Business Services | — | 2 jul 2024 |
| Ocasa | AR | Transportation/Logistics | — | 27 jun 2024 |
| Consilux (Brazil) | BR | Business Services | — | 9 abr 2024 |
| Telecentro | AR | Business Services | — | 6 mar 2024 |
| Desarrollo De Tecnologia y Sistemas Ltda | CL | Technology | — | 21 feb 2024 |
| Distecna | AR | Technology | — | 8 feb 2024 |
| Brazilian Business Park | BR | Business Services | — | 26 ene 2024 |
| Mitrani Caballero Ojam & Ruiz Moreno - Abogados | AR | Business Services | — | 12 dic 2023 |
| Midea Carrier | CL | Manufacturing | — | 4 dic 2023 |
| Bern Hotels & Resorts | PA | Hospitality and Tourism | — | 3 dic 2023 |
| Alpura | MX | Agriculture and Food Production | — | 29 nov 2023 |
| Metro MPLS | PA | Telecommunication | — | 17 nov 2023 |
| Papel Prensa SA | AR | Manufacturing | — | 7 ago 2023 |
| Pinnergy | MX | Energy | — | 6 jul 2023 |
| Café Soluble | NI | Agriculture and Food Production | — | 21 jun 2023 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
Associated Financial Consultants & Investor Services is an independent boutique firm dedicated to creating, growing, and protecting wealth since 1972. They offer a range of services includin g wealth management, life planning, retirement planning, and insurance for families and individ uals, as well as customized retirement and employee benefit plans for businesses. We will upload 77gb of corporate data soon. Employee personal information (passports, DLs, SSNs and so on), financials, confidential legal documents, client and partners information, NDAs, e tc.
Spray Equipment & Service Center is a leading provider of consultation, turnkey industrial fini shing equipment, and training services for coating applications. They cater to clients seeking efficient and high-performance coating solutions, enhancing product quality and streamlining pr oduction processes. We will upload 26gb of corporate data soon. Employee personal information (DLs, w-9 forms and s o on), financials, contracts, projects info, drawings, partners information, etc.
Rockaway River Country Club is a premier country club located in Denville, NJ, offering a range of amenities including golf, dining, and facilities for racquets and aquatics. The club has a rich history of excellence, celebrating 100 years of service to its members. We will upload 25gb of corporate data soon. Employee personal information (DLs and other docs, contracts with personal information), financials, contracts and agreements, projects info, draw ings, clients and partners information, etc.
SMPC Architects is an architecture firm based in Albuquerque, New Mexico, specializing in creat ing innovative and sustainable spaces. The firm focuses on community-oriented projects and coll aborates closely with clients to meet their needs. We will upload 163gb of corporate data soon. Employee personal information (passports, DLs, SSN cards and so on), financials, lots of contracts and confidential settlements, NDAs, clients an d partners information, etc.