{ "id": "33e9a12f-145c-4a0b-b711-62f7785b805a", "created_at": "2026-04-06T00:15:25.163222Z", "updated_at": "2026-04-10T03:27:57.437186Z", "deleted_at": null, "sha1_hash": "112c4a88a74011db4b05c5239f91c6ae83168f9f", "title": "Conti and Akira: Chained Together | Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 271250, "plain_text": "Conti and Akira: Chained Together | Arctic Wolf\r\nBy Steven Campbell, Akshay Suthar, Connor Belfiore, and Arctic Wolf Labs Team\r\nPublished: 2023-07-26 · Archived: 2026-04-05 13:07:37 UTC\r\nKey Takeaways\r\nSince March 2023, Akira ransomware has compromised at least 63 victims with approximately 80% of\r\nthem being small to medium-sized businesses (SMBs).\r\nWe assess Akira is likely an opportunistic ransomware group due to their victimology and negotiation\r\ntactics.\r\nThrough blockchain analysis, we assess with a high degree of confidence that some Conti-affiliated threat\r\nactors are linked to the Akira ransomware group.\r\nBackground\r\nSince the fallout of Conti ransomware in mid-2022, Conti-affiliated threat actors have splintered off and\r\ndeveloped or joined other ransomware groups to continue extorting victim organizations. Due to Conti’s source\r\ncode being leaked, attribution back to the Conti ransomware group via code overlap is much more difficult.\r\nHowever, leveraging blockchain analysis, we can begin to discern what ransomware groups Conti-affiliated threat\r\nactors have worked with; one such group is Akira. \r\nWho is Akira?\r\nAkira is a relatively new, fast-growing ransomware group—first observed in March 2023—that leverages the\r\nransomware-as-a-service (RaaS) business model to deploy Akira ransomware. Similar to other prominent RaaS\r\ngroups, Akira exfiltrates data before encrypting victim devices and leverages it to perform double extortion. The\r\ngroup does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira\r\noffers victims the opportunity to pick and choose what they would like to pay for. However, if a victim does not\r\npay the ransom (ranging from $200K USD to over $4M USD based on Arctic Wolf® Incident Response’s insights)\r\nthe victim’s name and data are published to Akira’s leak site.\r\nNote: In 2017, security researchers identified a ransomware variant that appended an identical file extension\r\n(.akira) to encrypted files; however, this variant is not related to the Akira ransomware group.\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 1 of 7\n\nAkira Tor Leak Site\r\nAccording to Akira’s leak site, the group has compromised at least 63 organizations since their inception, with\r\napproximately 80% of their victims being small to medium-sized businesses (SMBs). Notably, some of the\r\nvictims have been removed from the leak site.\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 2 of 7\n\nVictims by Employee Size and Location\r\nWe assess that Akira is likely an opportunistic ransomware group due to their victimology and negotiation tactics.\r\nIn nearly every incident response case Arctic Wolf investigated, the threat actors claimed that they needed time to\r\nreview the exfiltrated data to determine a ransom demand.\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 3 of 7\n\nVictims by Industry\r\nTools\r\nThe Arctic Wolf Incident Response team has responded to multiple Akira ransomware intrusions since April 2023.\r\nIn nearly all intrusions, the threat actors leveraged compromised credentials to obtain initial access to the victim’s\r\nenvironment. Notably, the majority of victim organizations did not have multi-factor authentication (MFA)\r\nenabled on their VPNs. It is unclear how the threat actors obtained the compromised credentials; however, it is\r\nplausible the threat actors purchased access or credentials on the dark web.\r\nBased on Arctic Wolf Incident Response data, Akira leverages a multitude of tools upon obtaining initial access to\r\na victim’s environment. Known tools are listed below:\r\nTools Leveraged by Akira Affiliates\r\nTactic Tool\r\nDiscovery\r\nPCHunter\r\nAdvanced IP Scanner\r\nAdFind\r\nSharpHound\r\nMASSCAN\r\nCredential Access Mimikatz\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 4 of 7\n\nLaZagne\r\nCommand and Control\r\nAnyDesk\r\nRadmin\r\nCloudflare Tunnel\r\nMobaXterm\r\nNgrok\r\nExfiltration\r\nWinRAR\r\nWinSCP\r\nRclone\r\nFileZilla\r\nImpact PsExec\r\nCode Overlap and Similarities with Conti\r\nIdentifying code overlap between different ransomware variants typically allows analysts to attribute activity back\r\nto a specific group due to ransomware source code being tightly guarded by threat actors. However, with the Conti\r\nsource code leak, multiple threat actors leveraged the code to develop or modify their own code base making\r\nattribution back to Conti threat actors much more difficult.\r\nAlthough both ransomware variants differ, Akira ransomware does bear some semblance to Conti ransomware.\r\nAkira ignores the same file types and directories as Conti ransomware and has functions that are similar. Akira\r\nalso used the ChaCha algorithm to encrypt files, which was implemented similarly to the one used by Conti\r\nransomware.\r\nOn June 29, 2023, however, Avast released a decryptor for Akira ransomware that victim organizations can use to\r\ndecrypt files. Based on current intelligence, the threat actors have modified the encryption routine since the\r\ndecryptor was published, indicating that it may not work if files were encrypted after June 29th.\r\nBlockchain Analysis – Chained Together\r\nAlthough cryptocurrency can be acquired without attribution back to the buyer, it is not completely anonymous.\r\nTransactions between cryptocurrency wallets are published to the blockchain ledger which is publicly viewable\r\nvia a blockchain explorer.\r\nBy leveraging known threat actor cryptocurrency wallet addresses, we are able to conduct pattern analysis of the\r\ntransactions and discover additional wallet addresses. In some instances, we have observed cryptocurrency\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 5 of 7\n\naddress reuse between threat groups, indicating the individual controlling the address or wallet has either\r\nsplintered off from the original group or is working with another group at the same time.\r\nBased on blockchain analysis of known Akira ransomware transactions, Arctic Wolf® Labs identified overlaps\r\nbetween Akira and Conti threat actors on multiple occasions.\r\nBlockchain Transactions Between Akira and Conti Ransomware\r\nIn at least three separate transactions, Akira threat actors sent the full amount of their ransom payment to Conti-affiliated addresses; the three transactions totaled over $600K USD. From there, we observed all the Conti-affiliated addresses conduct transactions with a group of shared intermediary wallets that were used to cash out\r\nfunds from the ransom payments or transfer funds within the group. Notably, two of the Conti-affiliated wallets\r\nhad transactions with wallets linked to Conti’s leadership team, with one housing addresses used to receive\r\nransom payments for multiple ransomware families.\r\nConclusion\r\nBy following transactions discovered during blockchain analysis, we can tie individual groups together with\r\nhigher fidelity based on transactions to and from known threat actor-controlled cryptocurrency addresses.\r\nTracking ransom payments to Akira allowed Arctic Wolf Labs to identify transactions to Conti-affiliated\r\naddresses. The same analysis method allowed our team to identify connections between the Karakurt extortion\r\ngroup, Diavol, and the Conti ransomware group in 2022.\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 6 of 7\n\nAlthough Conti disbanded after increased pressure due to internal conflict and the publishing of their source code,\r\nmany of the Conti members have continued to wreak havoc on organizations in 2023 through their activity with\r\nother ransomware-as-a-service groups, including Akira. Akira continues to evolve and grow as a ransomware\r\ngroup by changing its tactics to evade detection. Security best practices, such as enabling MFA on VPN\r\nappliances, can greatly hinder Akira’s ability to successfully compromise an organization.\r\nReferences\r\nAvast Decryptor\r\n2017 Akira Variant\r\nThe Karakurt Web – Arctic Wolf Labs Threat Research\r\nAuthors\r\nSteven Campbell – Senior Threat Intelligence Researcher\r\nSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of\r\nexperience in intelligence analysis and security research. He has a strong background in infrastructure analysis and\r\nadversary tradecraft. \r\nAkshay Suthar – Senior Threat Intelligence Researcher\r\nAkshay Suthar is a Senior Threat Intelligence Researcher at Arctic Wolf Labs focused on researching adversary\r\ntradecraft and malware analysis. He has more than seven years of experience in a multitude of domains including\r\nthreat intelligence research, detection engineering, and intrusion analysis.\r\nConnor Belfiore – Threat Intelligence Analyst\r\nConnor Belfiore is a Threat Intelligence Analyst at Arctic Wolf Incident Response. He has more than five years of\r\nexperience in threat intelligence, financial crimes investigation, and blockchain analysis.\r\nSource: https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nhttps://arcticwolf.com/resources/blog/conti-and-akira-chained-together/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/" ], "report_names": [ "conti-and-akira-chained-together" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434525, "ts_updated_at": 1775791677, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/112c4a88a74011db4b05c5239f91c6ae83168f9f.pdf", "text": "https://archive.orkl.eu/112c4a88a74011db4b05c5239f91c6ae83168f9f.txt", "img": "https://archive.orkl.eu/112c4a88a74011db4b05c5239f91c6ae83168f9f.jpg" } }