{ "id": "45ddedfb-a93a-4523-9261-aada6353f3a3", "created_at": "2026-04-06T00:16:35.086835Z", "updated_at": "2026-04-10T13:13:07.735564Z", "deleted_at": null, "sha1_hash": "c3965f2ca1b3cb2cd408b1cd310af5523d98a382", "title": "Akira ransomware continues to evolve", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 151848, "plain_text": "Akira ransomware continues to evolve\r\nBy James Nutland\r\nPublished: 2024-10-21 · Archived: 2026-04-02 12:30:36 UTC\r\nAkira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape,\r\naccording to Cisco Talos’ findings and analysis.\r\nTheir success is partly due to the fact that they are constantly evolving. For example, after Akira already\r\ndeveloped a new version of their ransomware encryptor earlier in the year, we just recently observed another\r\nnovel iteration of the encryptor targeting Windows and Linux hosts alike. \r\nPreviously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the\r\ncompromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the\r\nencryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift\r\nwas due in part to the developers taking time to further retool their encryptor. \r\nDuring this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of\r\ntheir ESXi encryptor, iteratively building on the payload’s functions while moving away from C++ and\r\nexperimenting with different programming techniques.  \r\nMost recently, we have observed a potential shift back to previous encryption methods, in conjunction with data\r\ntheft extortion tactics.  \r\nReturning to this approach leverages the reliability of tested encryption techniques, while simultaneously\r\ncapitalizing on data theft for additional leverage. Pivoting to a previously effective strategy post-language\r\nreimplementation with v2 indicates a refocus on stability and efficiency in affiliate operations. \r\nWe anticipate Akira will continue refining its tactics, techniques, and procedures (TTPs), developing its attack\r\nchain, adapting to shifts in the threat landscape, and striving for greater effectiveness in its RaaS operations,\r\ntargeting both Windows and Linux-based enterprise environments. \r\nMembers of our team will be delving into this prickly threat actor presenting at the upcoming MITRE\r\nATT\u0026CKCon 5.0 in ‘GoGo Ransom Rangers: Diving into Akira’s Linux Variant with ATT\u0026CK'. Join us as we\r\nuncover findings about the TTPs employed by this developing threat actor, dissect their attack chain, and\r\nactionable intelligence is vital in the threat protection pipeline.\r\n\"The future is not a straight line. It is filled with many crossroads\" Kiyoko\r\n2024 attack chain: Leveraging exposed network appliances and vulnerable systems for rapid\r\ncompromise \r\nAs Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new\r\nvulnerabilities for initial access, adapting their tactics in tandem. They leverage newly disclosed CVEs, not only to\r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 1 of 10\n\nbreach networks but also to escalate privileges and move laterally within compromised environments. This allows\r\nthem to establish a greater foothold to swiftly deploy encryption and exfiltrate victim data for extortion. \r\nAkira ransomware operators have utilized a variety of common infection vectors to gain initial access to targeted\r\nnetworks, often favoring the use of compromised VPN credentials. \r\nMost recently, Akira ransomware affiliates have been observed targeting network appliances vulnerable to CVE-2024-40766, an exploit in the SonicWall SonicOS facilitating remote code execution on the vulnerable device.\r\nSecurity researchers found that software on the affected systems was vulnerable to this exploit, suggesting\r\naffiliates’ swift capitalization on exposed systems. \r\nAdditional vulnerabilities leveraged by affiliates throughout 2024 include: \r\nCVE-2020-3259 and CVE-2023-20263: In similar Cisco security appliance exploits leveraged in early\r\n2024, Akira was observed abusing a flaw in Cisco Adaptive Security Appliance (ASA) with CVE-2020-\r\n3259 and CVE-2023-20263 via Firepower Threat Defense (FTD) software that allowed attackers to\r\nexecute arbitrary code, after initial access was established post Cisco AnyConnect SSL VPN compromise. \r\nCVE-2023-48788: Exposed and vulnerable FortiClientEMS software abuse by Akira was observed for\r\ninitial access, enabling lateral movement and privilege escalation. \r\nOnce initial access is established, Akira operators utilize PowerShell scripts to conduct credential harvesting and\r\nprivilege escalation, such as extracting Veeam backup credentials and dumping Kerberos authentication\r\ncredentials. Additionally, we often see affiliates delete system shadow copies to obstruct file recovery via\r\nWindows Management Instrumentation (WMI): “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”. \r\nOperators typically utilize RDP connections and lateral tool transfers to move through the network and employ a\r\nvariety of defense evasion techniques, such as binary padding, matching legitimate name or location taxonomy,\r\nand disabling or modifying security tools. \r\nIn an attack targeting a Latin American airline in June 2024, RaaS operators were able to exploit key vulnerable\r\nservices and deploy the ransomware payload in a manner that drastically reduced the time to exfiltrate data.\r\nInitially gaining access via Secure Shell (SSH), it was reported that the adversary obtained access to the\r\nvulnerable Veeam backup server likely via CVE-2023-27532, resulting in the access of encrypted credentials\r\nstored in the configuration database. This foothold facilitated the swift deployment of the Akira ransomware\r\nvariant and exfiltration of sensitive data. \r\nAkira ransomware affiliates have actively exploited several additional critical vulnerabilities in 2024 after\r\nachieving initial compromise, capitalizing on unpatched vulnerabilities in widely used network appliances and\r\nsoftware to establish persistence and move laterally:  \r\nCVE-2023-20269: Akira affiliates were suspected of targeting this vulnerability in Cisco VPN services.\r\nThe exploit leverages an unauthorized access vulnerability in the remote access VPN feature of ASA and\r\nFTD software due to a misconfiguration of improper separation of authentication, authorization, and\r\naccounting (AAA) on the device.  \r\nCVE-2024-37085: VMware ESXi vulnerability enabling unauthorized access to the hypervisor’s\r\nmanagement interface, which can lead to full control over virtual machines once the adversary has\r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 2 of 10\n\nestablished sufficient Active Directory Permissions. \r\nCVE-2024-40711: Akira ransomware was recently seen deployed post exploitation of the Veeam backup\r\nand replication service by triggering \"Veeam.Backup.MountService.exe\" to spawn \"net.exe\" and create\r\nlocal accounts for privilege escalation and persistence. \r\nIn terms of victimology, we assess that throughout 2024, Akira has targeted a significant number of victims, with a\r\nclear preference for organizations in the manufacturing and professional, scientific, and technical services sectors,\r\nbased on our analysis of Akira’s data leak site. \r\nTop Akira targeted verticals in 2024\r\nA look at the previous Akira v2 ESXi encryptor \r\nAkira pivoted from their traditional TTPs at the end of 2023 and developed a new Linux encryptor. In March\r\n2024, we shared findings with intelligence partners generated from a Cisco Talos Incident Response (Talos IR)\r\nengagement, which documented the newly discovered Akira_v2 and the co-occurring deployment of the\r\nadversaries’ Megazord encryptor.  \r\nPost-encryption, we witnessed the Linux ESXi variant appended with a novel encrypted storage file extension\r\n“akiranew” dropping a ransom note in each of the directories where files were encrypted with a new\r\nnomenclature, “akiranew.txt”. We discovered two additional samples of the Akira_v2 variant (version 2024.1.30)\r\non VirusTotal that included additional modifications to extend its command line argument capabilities,\r\nhighlighting further evolution in the malware's development. \r\nArguments Description\r\n--path\r\n\u003cstring\u003e\r\nStart path. Default value: /vmfs/volumes\r\n--id \u003cstring\u003e Build ID\r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 3 of 10\n\n--stopvm Stop VMs\r\n--vmonly Crypt only .vmdk, .vmem, .vmx, .log, .vswp, .vmsd, .vmsn files\r\n--threads\r\n\u003cint\u003e\r\nNumber of threads (1-1000). Default: number of logical CPU cores\r\n--ep \u003cint\u003e Percent of crypt. Default - 15%\r\n--fork Work in background\r\n--logs\r\n\u003cstring\u003e\r\nPrint logs. Valid values for: trace, debug, error, info, warn. Default: off\r\n--exclude\r\n\u003cstring\u003e\r\nSkip files by \"regular\" extension. Example: --exclude=\"startfilename(.*).(.*)\" using this\r\nregular expression will skip all files starting with startfilename and having any extensions.\r\nMultiple regular expressions using \"|\" can also be processed: --exclude=\"(win10-3(.*).(.*))|\r\n(win10-4(.*).(.*))|(win10-5(.*).(.*))\"\r\n-h, --help Show help\r\nThe original Linux encryptor was written in C++, with Akira leveraging the Crypto++ library for encryption\r\nprocesses, whereas the v2 Rust variant makes use of rust-crypto 0.2.36 library crate for encryption processes. \r\nThe Build ID for the v2 (version 2024.1.30) was found at offset 0x41970 for 10 bytes. \r\nIn the v2 version targeting ESXi hosts, by default, the encryptor targets the “/vmfs/volumes/” path and will\r\nnavigate into subdirectories. If this path does not exist or a path is not specified, the ransomware will fail to\r\nexecute. \r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 4 of 10\n\nAkira (The Return) to old TTPs \r\nFrom our recent analysis, we suspect that Akira may be transitioning from the use of the Rust-based Akira v2\r\nvariant and returning to previous TTPs using Windows and Linux encryptors written in C++. This could be\r\nbecause of a potential refocus on incremental iterations with stability and reliability in their operations over\r\ninnovation. The cross-platform consistency indicates the adversaries’ focus on an adaptable payload, enabling the\r\nthreat actor to target multiple operating systems with minimal changes. \r\nIn early September 2024, we identified multiple new ransomware samples written in C++, where encrypted files\r\nare given the “.akira” extension and a ransom note named “akira_readme.txt” is dropped on the device, consistent\r\nwith pre-August 2023 versions of the Akira ransomware group’s encryptor. These findings support our assessment\r\nof a tactical pivot, signaling a deliberate return to effective techniques, consistent with public reporting on the\r\nthreat actors’ initial Linux variant. \r\nWe assess with moderate confidence that the Megazord variant, previously used by the threat actor targeting\r\nWindows environments, alongside Akira v2 for Linux, has gradually faded away, further supporting a\r\nconsolidation of tooling by the adversary. \r\nThe newly observed Windows variant has been updated and appears to substitute the previously seen -remote\r\nargument for -localonly and --exclude and excludes paths, including “$Recycle.Bin” and “System Volume\r\nInformation”, in the encryption process. Within the Linux variant, the –fork argument, which creates a child\r\nprocess for encryption, is still included along with the --exclude argument. \r\nAnalysis of the recent binaries suggests that the threat actor has pivoted to utilizing the ChaCha8 stream cipher.\r\nThe ChaCha8 algorithm is faster and more efficient than the previously leveraged ChaCha20 in Akira v_2 due to\r\nthe reduced number of quarter-round operations in the cipher, possibly indicating a further focus on swift\r\nencryption and exfiltration operations such as seen in recent Akira attacks. \r\nNew extensions targeted in recently observed Linux variants: \r\n.4d .abd .abx .ade\r\n.ckp .db .dd dpl\r\n.dx .edb .fo .ib\r\n.idb .mdn .mud .nv\r\n.pdb .sq .te .ud\r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 5 of 10\n\n.vdh\r\nBoth newly observed encryptor variants employ exclusion paths that ignore identical Windows directories before\r\nthe encryption process, a return to previous TTPs by the adversary. \r\ntmp wint temp thumb\r\n$Recycle.Bin $RECYCLE.BIN System Volume Information Boot\r\nWindows Trend Micro\r\nFuture developments in Akira’s TTPs \r\nFuture campaigns are likely to see Akira continuing to prioritize the exploitation of high-impact CVEs while\r\nreinforcing its double extortion model to increase ransom leverage.  \r\nThe exploration of the Rust programming language in recent Linux encryptors signals the threat actor’s\r\nwillingness to experiment with different coding frameworks, potentially leading to more developed and resilient\r\nransomware variants. While the return to an earlier variant indicates a potential tactical shift from this code\r\nmigration, it also demonstrates that the developers remain highly adaptable, willing to reemploy tried-and-tested\r\ntechniques when necessary to ensure operational stability. Pragmatic adaptability is providing significant\r\nadvantages for ransomware groups operating in a dynamic threat landscape, as it allows them to maintain a robust\r\nand reliable codebase while continually seeking new ways to evade detection and enhance functionality. \r\nIt is possible that Akira's pivot to pure data-theft extortion at the end of 2023 and beginning of 2024 was a\r\ntemporary shift during the codebase refactoring, allowing the group to maintain pressure on victims and generate\r\nrevenue while developmental resources were allocated to refining the encryptor’s functionality. \r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 6 of 10\n\nWe assess that Akira and its affiliates will continue prioritizing attacks against VMWare’s ESXi and Linux\r\nenvironments throughout 2024, echoing a broader trend observed across the ransomware landscape. Adversary\r\ntargeting of these platforms is driven by their prevalence in enterprise infrastructure, hosting critical infrastructure\r\nand high-value data, and their capacity for mass encryption and disruption with minimal lateral movement.\r\nTargeting ESXi and Linux hosts allows ransomware operators to compromise multiple virtual machines and\r\ncritical workloads simultaneously, maximizing operational impact while bypassing traditional endpoint security\r\ncontrols. \r\nVirtualization is essential to large-scale deployments of cloud computing and storage resources, making\r\nransomware attacks on ESXi hypervisors highly disruptive. \r\nEncrypting the ESXi file system provides rapid, widespread data encryption, minimizing the need for\r\nextensive lateral movement and credential theft, due to the ease of encrypting a single vmdk, rather than all\r\nthe files. \r\nESXi hypervisors often lack comprehensive security protection due to security department overhead,\r\nmaking them attractive targets for ransomware operators seeking fruitful targets. \r\nRecommendations \r\nConduct regular vulnerability assessments and timely application of security patches to identify outdated\r\nsoftware versions and unpatched vulnerabilities on ESXi hosts and implement a formal threat-informed patch\r\nmanagement policy that includes a defined prioritization and schedule for routine updates and emergency patching\r\nof critical vulnerabilities. \r\nImplement strict password policies that require complex, unique passwords for each account. Additionally,\r\nenforce multi-factor authentication (MFA) to add an extra layer of security.  \r\nDeploy a Security Information and Event Management (SIEM) system to continuously monitor and analyze\r\nsecurity events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide\r\nadvanced threat detection, investigation, and response capabilities.  \r\nEnable secure configuration and access controls to limit access to ESXi management interfaces such as by\r\nrestricting them to trusted IPs, enforcing MFA, and ensuring role-based access control (RBAC) is properly\r\nconfigured. \r\nDisable unnecessary WMI access by restricting or disabling WMI access for non-administrative users, and\r\nmonitor/audit WMI commands, particularly those related to shadow copy deletion. \r\nCredential dumping prevention via implementing Windows Defender Credential Guard to protect Kerberos\r\nticket data and prevent credential dumping from the Local Security Authority (LSA), ensuring to audit and apply\r\nnecessary configuration changes to applications/plug-ins that aren't compatible due to reliance on direct access to\r\nuser credentials. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 7 of 10\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from theFirewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. SIDs for this threat: \r\nSnort3: 300924 \r\nSnort3 Rules: 1:301007:1:0 \r\nSnort2: 63541, 63540 \r\nSnort2 Rules: 1:63976:1:0, 1:63977:1:0 \r\nClamAV detections are also available for this threat: \r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 8 of 10\n\nMultios.Ransomware.Akira-10036536-0 \r\nMultios.Ransomware.Megazord-10021030-1 \r\nIOCs \r\nIOCs for this research can be found in our GitHub repository here. \r\nWindows (The Return) \r\n78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0 \r\n2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77 \r\n88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2 \r\n566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739 \r\nccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5 \r\n87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d \r\n988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42 \r\nLinux (The Return) \r\n3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30 \r\nabba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b \r\na546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0 \r\n6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84 \r\n43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72 \r\n8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c \r\nbcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a \r\n3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30 \r\nWindows v1 \r\n678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33 \r\n6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360 \r\n3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c \r\n1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc \r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 9 of 10\n\n5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5 \r\nMegazord \r\ndfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198 \r\n28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e \r\na6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb \r\nb55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9 \r\nc9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0 \r\n0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d \r\n95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a \r\ne3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481 \r\n68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a \r\n8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439 \r\nc0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6 \r\n7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be \r\n2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 \r\n9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c \r\n9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 \r\n131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 \r\nAkira_v2: \r\n3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 \r\n0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c \r\nSource: https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nhttps://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/" ], "report_names": [ "akira-ransomware-continues-to-evolve" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434595, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3965f2ca1b3cb2cd408b1cd310af5523d98a382.pdf", "text": "https://archive.orkl.eu/c3965f2ca1b3cb2cd408b1cd310af5523d98a382.txt", "img": "https://archive.orkl.eu/c3965f2ca1b3cb2cd408b1cd310af5523d98a382.jpg" } }