{
	"id": "37a560dc-edd0-4c01-b25a-c2d758df167f",
	"created_at": "2026-04-06T00:15:28.25219Z",
	"updated_at": "2026-04-10T03:27:57.412091Z",
	"deleted_at": null,
	"sha1_hash": "60a6c4b4022c1a269d6ecb6ce4392bfae079f87f",
	"title": "Are Akira Ransomware's Crypto-Locking Malware Days Numbered?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 163518,
	"plain_text": "Are Akira Ransomware's Crypto-Locking Malware Days\r\nNumbered?\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 22:39:35 UTC\r\nFraud Management \u0026 Cybercrime , Ransomware\r\nRansomware-Building Group Lost Royal-Organized Competition, Researchers Say (euroinfosec) • July 27, 2023  \r\n \r\nAkira's retro-looking data leak site\r\nIs the Akira ransomware story coming to an end?\r\nSee Also: Gen AI Stalls, Shadow AI Rises: A CISO Concern\r\nBursting onto the ransomware scene in late March, Akira quickly racked up a growing list of victims. Files\r\nencrypted by the ransomware strain have .akira appended to their name.\r\nSophos reported in May that it had investigated two different Akira attacks in April against victim organizations as\r\npart of its incident response efforts.\r\nRansomware incident response firm Coveware reported that during the second quarter of this year, Akira was the\r\nfifth-most-common strain of ransomware it saw, saying it had been responsible for 5% of successful attacks it\r\ninvestigated. While that's less than BlackCat and Black Basta - each at 16%, Royal at 10% and LockBit at 6%, it's\r\nstill notable.\r\nhttps://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480\r\nPage 1 of 3\n\nThe ransomware group claims on its data leak site to have hit at least 63 organizations since its launch, security\r\noperations provider Arctic Wolf said in a Wednesday blog post. Whether or not those victims are real remains\r\nunclear. Ransomware groups regularly lie to try and boost their reputations.\r\nIn June, researchers reported that the Akira group had developed and begun to use a \"sophisticated\" Linux version\r\nof their malware.\r\nThe ransomware shares its name with a 1988 cyberpunk animated film, and its data leak site channels a retro '80s\r\nlook. Another ransomware strain active in 2017 also used the name, but the newer strain \"bears no code similarity\"\r\nand seems to be unrelated, Sophos reported.\r\nIn fact, the code has overlaps with Ryuk ransomware, which likely also helps explain the choice of an anime\r\nname, writes Yelisey Bohuslavskiy, partner and head of R\u0026D at New York-based threat intelligence firm Red\r\nSense, in a LinkedIn post.\r\nBased on internal Royal communications Red Sense obtained, Akira's developers appear to have been one of\r\nseveral groups asked by the Conti spinoff to participate in a competition it had organized to select a next-generation crypto-locker malware, for which they retained the original Ryuk developer to be judge, he said.\r\nRyuk is a god of death in Japanese mythology and a protagonist in the early 2000s manga-turned-anime series\r\n\"Death Note.\" The developer of Ryuk ransomware is known to be a manga buff.\r\nWhoever built Akira appears to have based the malware on the original version of the Ryuk crypto-locking\r\nmalware code and to have picked its name to curry favor with the judge, Bohuslavskiy said. Each of the\r\ncontestants, which also included BlackSuit, also appear to have received a batch of initial accesses to victims'\r\nnetworks.\r\nUnfortunately for Akira, it doesn't seem to have made the cut. \"Despite a spike in activity, Akira failed to secure\r\nvictory in the competition, and by May, they communicated to Royal that they were running out of targets,\"\r\nBohuslavskiy said. \"Subsequently, in June, Royal called off the competition, leading to a sharp drop in Akira's\r\nactivity.\"\r\nAnother nail in Akira's coffin came in late June, when security firm Avast released a free decryptor for the\r\nransomware that can decrypt both Windows and Linux files.\r\nStill, predicting the demise of ransomware groups is a fraught activity. Ransomware-tracking experts say many\r\ngroups go on vacation over the summer, leading to a decline in attack volumes. Akira's fate may not be clear until\r\nmonths from now. In addition, just because one ransomware group doesn't succeed, that doesn't mean that anyone\r\ninvolved in running the group and attracting employees or business partners, as well as developers and affiliates,\r\nwon't carry on working for someone else or under a different name.\r\nAs ransomware groups continue to collectively earn hundreds of millions of dollars in illicit profits via crypto-locking malware, it's no wonder so many criminals keep wanting a piece of the action.\r\nOn that front, it's not yet clear who - if anyone so far - won Royal's competition. Bohuslavskiy told me that the\r\nentire effort got extremely \"confusing\" with BlackSuit in play, AresLoader also developing a loader, and Royal\r\nhttps://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480\r\nPage 2 of 3\n\nhaving a close working relationship with BlackCat and continuing to borrow its loader. \"Finally, the original Ryuk\r\ndeveloper is likely involved, so it's a big competition,\" he said, and Royal likely hasn't yet made up its mind what\r\nto do next. Stay tuned.\r\nSource: https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480\r\nhttps://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480"
	],
	"report_names": [
		"akira-ransomware-apparently-in-decline-but-still-threat-p-3480"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434528,
	"ts_updated_at": 1775791677,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60a6c4b4022c1a269d6ecb6ce4392bfae079f87f.pdf",
		"text": "https://archive.orkl.eu/60a6c4b4022c1a269d6ecb6ce4392bfae079f87f.txt",
		"img": "https://archive.orkl.eu/60a6c4b4022c1a269d6ecb6ce4392bfae079f87f.jpg"
	}
}