{
	"id": "5f59d32d-e195-4515-8217-a4d82ceca7b3",
	"created_at": "2026-04-06T00:14:29.429826Z",
	"updated_at": "2026-04-10T03:29:39.987449Z",
	"deleted_at": null,
	"sha1_hash": "8a0ee7d50949d21eed1d9c7a4016bd1f252e5301",
	"title": "Ransomware Talent Surges to Akira After LockBit's Demise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118036,
	"plain_text": "Ransomware Talent Surges to Akira After LockBit's Demise\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 12:45:07 UTC\r\nFraud Management \u0026 Cybercrime , Ransomware\r\nUS Healthcare Entities Are Firmly in Akira Ransomware Group's Sights, Expert Warns (euroinfosec) • March 12,\r\n2024    \r\nRansomware groups come and go, but the cybercriminals behind them are a constant. (Image:\r\nShutterstock)\r\nWould LockBit by any other name be as dour? Russian-speaking ransomware groups come and go, but the\r\nindividuals involved coalesce behind whatever brand name remains a going concern.\r\nSee Also: AI Pushes Cyberattacks to New Speed Levels\r\nHence a reported flow of top talent from LockBit, which was recently disrupted by law enforcement, to Akira,\r\nwhich is apparently alive and well.\r\n\"The Akira ransomware collective is receiving a major influx of talented post-Conti pentesters who appear to have\r\ntheir sights set on hitting 'healthcare entities in the U.S.,'\" said Yelisey Bohuslavskiy, chief research officer at\r\nRedSense, in a LinkedIn post.\r\nThe term pentesters is ransomware group double-speak for black hat hackers who infiltrate targets and deploy\r\ncrypto-locking malware as a prelude to extortion. The extortion payment, they say, is merely a postpaid charge for\r\nhttps://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583\r\nPage 1 of 4\n\npenetration testing services.\r\nWhat this means for potential victims, including in the healthcare sector, is that the criminals who previously\r\nworked for LockBit will be trying the same tricks, only now under Akira's banner. From a defensive standpoint,\r\nsecurity experts said, the pentesters involved have a predilection for targeting known vulnerabilities in Cisco\r\ndevices, hitting outdated VMware ESXi virtual machines, and tricking victims into installing remote monitoring\r\nand management software, through which the attackers try to push ransomware.\r\nPost-Conti Ransomware Groups\r\nFrom 2018 until February 2022, Ryuk and its successor Conti dominated the ransomware scene. Then Conti's\r\nleadership publicly backed Russia's invasion of Ukraine, instigating a worldwide backlash against paying the\r\ngroup extortion money.\r\nConti subsequently splintered, and its various internal teams started up fresh operations under new names,\r\nincluding Zeon, Royal and Black Basta (see: Conti's Legacy: What's Become of Ransomware's Most Wanted?).\r\nAkira appears to have \"close ties with the Ryuk side of post-Conti,\" which led to a relationship with Zeon -\r\nformerly Conti Team One, which ran TrickBot - including Akira's \"original pentesters deploying Ryuk in the\r\nsyndicate's early days,\" RedSense said.\r\nLast summer, IBM X-Force reported that various post-Conti groups or factions appeared to maintain \"a high level\r\nof communication and cooperation,\" including sharing resources such as cryptors. All of this, X-Force said,\r\nchallenged \"the assumption that the new factions are all separate or distinct groups.\"\r\n\"We obtained credible primary source intelligence directly related to post-Ryuk leadership, indicating that Zeon is\r\noperating as a group of elite pentesters for both Akira and LockBit, with the latter being their main focus,\" said\r\nBohuslavskiy in December.\r\nDisrupting Ransomware\r\nLaw enforcement recently turned the pentesting tables on two major ransomware groups, infiltrating and\r\ndisrupting Alphv/BlackCat in December and LockBit in January. Following the takedowns, each group separately\r\nclaimed to reboot before appearing to go dark.\r\nThey may be back. Ransomware groups regularly spin up fresh infrastructure or reboot under a different name.\r\nAlphv/BlackCat, for example, previously operated as BlackMatter, which changed its name from DarkSide after\r\nhitting Colonial Pipeline in May 2021.\r\nMany of the individuals involved - operators, affiliates and contractors - as well as essential service providers,\r\nsuch as initial access brokers and money launderers, operate from Russia, which never extradites its citizens. Even\r\nwhen a ransomware group gets disrupted, experienced practitioners simply sign up with a different service or\r\nlaunch a new one.\r\nThat doesn't mean law enforcement agencies and security experts aren't celebrating the recent disruptions,\r\nincluding of LockBit. The group perpetrated some of the biggest ransomware attacks of recent years, functioning\r\nhttps://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583\r\nPage 2 of 4\n\nas a ransomware-as-a-service operation, meaning it provided crypto-locking malware to vetted affiliates, who\r\nused the malware to amass victims and then shared in the resulting profits.\r\nThe group also hit smaller businesses - comprising 500 or fewer employees - hard, said cybersecurity firm\r\nSophos. In 2023, 28% of the small business ransomware incident response engagements Sophos handled traced to\r\nLockBit, followed by Akira at 16% and Alphv/BlackCat at 14%.\r\nAt some point last year, LockBit appears to have quietly altered its approach. Marley Smith, principal threat\r\nresearcher at RedSense, said that by the end of 2023, the vast majority of LockBit's revenue appeared to trace not\r\nto affiliates but to highly skilled teams or \"ghost groups\" that worked quietly on LockBit's behalf and bolstered its\r\nimage.\r\nBohuslavskiy said LockBit's ghost groups were largely comprised of highly experienced pentesters from Zeon\r\nwho have extensive experience with big-game hunting as well as scaring victims into thinking their systems have\r\nbeen infected by ransomware and then tricking them into installing it.\r\nThe latter scheme is a variation of a gambit known as BazarCall, which is a \"callback phishing\" tactic pioneered\r\nby the Conti ransomware group that typically involves attackers trying to trick technical support teams into\r\ninstalling remote-control software, which they use to push malware into a victim's network.\r\nMany attacks conducted by Zeon on LockBit's behalf led to victims rapidly meeting attackers' ransom demands,\r\nand the attacks never came to light publicly, RedSense said.\r\nZeon devoting more resources to Akira isn't welcome news. Ransomware incident response firm Coveware said\r\nthat in the second half of last year, Akira was already the most-seen strain in incidents it worked. During the last\r\nthree months of 2023, Akira accounted for 17% of all incidents it investigated, followed by BlackCat at 10% and\r\nLockBit at 8%.\r\nEssential Defenses\r\nFor defenders who want to block attacks by Akira and its associates, rapid patching remains essential. Security\r\nresearchers have previously tied the group to:\r\nThe targeting of Cisco VPN accounts that lacked multifactor authentication;\r\nThe exploitation of the CVE-2023-20269 zero-day vulnerability in multiple Cisco products' remote VPN\r\naccess features, including in the Cisco Adaptive Security Appliance software and Cisco Firepower Thread\r\nDefense software, to hit managed service providers and others;\r\nThe targeting of known vulnerabilities in VMware ESXi virtual machines.\r\nIn January, following a spate of Akira attacks that hit Finnish organizations, cybersecurity officials in Finland\r\nurged defenders to review their backup strategies. They said Akira appeared to be expert at searching for and\r\ndestroying backups, including network-attached storage servers and tape backups, to prevent victims from simply\r\nrestoring their systems.\r\nPentesters working with Zeon will likely continue trying to trick victims into installing remote management and\r\nmonitoring software and to target ESXi and cloud environments, Bohuslavskiy said.\r\nhttps://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583\r\nPage 3 of 4\n\nKeeping software fully patched and updated appears to remain a top defense against Zeon hackers. \"While the\r\ngroup is capable of targeting ESXi and cloud environments, well-updated hypervisors and cloud backup\r\nframeworks present a major challenge for them, which we have been seeing by observing their internal chatter,\"\r\nBohuslavskiy said.\r\nIn addition, \"network segmentation and segregation significantly complicate Zeon/Akira infiltration movements\"\r\nand make their attacks much easier to detect, he said.\r\nSource: https://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583\r\nhttps://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583"
	],
	"report_names": [
		"ransomware-talent-surges-to-akira-after-lockbits-demise-a-24583"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a0ee7d50949d21eed1d9c7a4016bd1f252e5301.pdf",
		"text": "https://archive.orkl.eu/8a0ee7d50949d21eed1d9c7a4016bd1f252e5301.txt",
		"img": "https://archive.orkl.eu/8a0ee7d50949d21eed1d9c7a4016bd1f252e5301.jpg"
	}
}