{ "id": "688e8bab-f9a0-4c7c-aeb1-bca48fefca2a", "created_at": "2026-04-06T00:14:31.93132Z", "updated_at": "2026-04-10T13:12:04.379722Z", "deleted_at": null, "sha1_hash": "f00ba64f67850713f20e02a9a64f11bfd923f637", "title": "Tracking Adversaries: Akira, another descendent of Conti", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 503732, "plain_text": "Tracking Adversaries: Akira, another descendent of Conti\r\nBy BushidoToken\r\nPublished: 2023-09-16 · Archived: 2026-04-05 23:02:30 UTC\r\nThe dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in\r\n2022, I blogged about how following the Conti Leaks, the operators of Conti continued on via multiple rebranded\r\nransomware campaigns, such as Royal, BlackBasta, and Quantum, among others. \r\nSince my last two blogs on the Conti/TrickBot gang, multiple members have been officially sanctioned by the US\r\nand UK government in February 2023 and September 2023, formally confirming attribution to Russia-based threat\r\nactors. The sanctions are a vital step in the right direction and helps the public and law makers understand what\r\norganized cybercrime looks like and the scale of the fight on our hands.\r\nIn this blog, however, I wanted to explore the ransomware campaign called Akira that appeared in March\r\n2023 and focus on how Akira is connected to Conti. Akira is a rapidly growing threat to civil society and critical\r\ninfrastructure and is the ransomware group I believe researchers and governments should be monitoring more\r\nclosely.\r\nBackground on Akira\r\nAdversaries and Victims\r\nFirstly, the operators of Akira ransomware are financially motivated cybercriminals. They are in it for the money\r\nand have made a lot of it already in 2023, how much exactly is not clear. But public media reports state that\r\nbetween March and July 2023, the group has compromised at least 63 victims, which is around four organizations\r\nhit by Akira ransomware per week — that we know about. From negotiations seen by BleepingComputer, the\r\nransomware gang demands ransoms ranging from 200,000 to millions of US dollars.\r\nhttps://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nPage 1 of 5\n\nThe group performs the usual double extortion campaigns, whereby the victim’s files are encrypted and\r\ninformation is stolen and published to their Tor data leak site (DLS) if the ransom is not paid. Private\r\ncybersecurity vendors track the Akira operators as Punk Spider (CrowdStrike) and Gold Sahara (Secureworks).\r\nAlongside being connected to Conti, the Akira operators are likely affiliated with other ransomware operations\r\ntoo, including Snatch and BlackByte. In an August 2023, researchers found an open directory of tools used by an\r\nAkira operator that were also likely being used by a threat actor with connections to Snatch ransomware. In July\r\n2023, media reports shared that Yamaha’s Canadian music division was listed on the Akira DLS, which was after\r\nthey were listed on BlackByte’s DLS in June 2023. The connections between Akira and other ransomware gangs\r\nhighlight that those who deploy Akira are potentially working with more than one ransomware crew, as Microsoft\r\nfound is usually the case among affiliates.\r\nAkira’s victims have been located around the world, but most that have appeared on their Tor DLS have been from\r\nNorth America. Akira attacks have impacted a wide range of industries, such as education, financial services,\r\nmanufacturing, professional services, and healthcare, among others. Most of the victims have been small-to-medium businesses (SMBs) with a few recognizable brand names, such as Yamaha.\r\nCapabilities and Infrastructure\r\nThere have been multiple versions of the Akira ransomware family and it has been deployed across Windows\r\ndomains and Hyper-V virtual infrastructure, as well as VMware ESXi hypervisors with Linux virtual machines\r\n(VMs). The first version of Akira was written in C++ and appended files with the “.akira” extension and dropped a\r\nransom note called “akira_readme.txt” that is at least partially based on Conti’s V2 source code, according to\r\nmalware analysts who also released a decryptor for Akira on 29 June 2023. However, a new version was shortly\r\nreleased that patched the decryption flaw on 2 July 2023. Since then, in late August 2023, a new revamped version\r\nof Akira appeared developed in Rust. This time it was called “megazord.exe” and appended “.powerranges”\r\nextension to encrypted files.\r\nThe most common initial access vector the Akira operators have used appears to be via brute-forcing Cisco VPN\r\ndevices with single-factor authentication only. The Akira operator that was tied to Snatch was also found\r\nexploiting Fortinet devices vulnerable to CVE-2019-6693 and CVE-2022-40684 for initial access. Incident\r\nresponders have also said that they believe Akira operators likely purchase VPN credentials from cybercrime\r\nmarketplaces fuelled by infostealer malware botnets and they may potentially source them from initial access\r\nbrokers (IABs) too, such as EXOTIC LILY that controls the Bumblebee malware.\r\nBy extracting tools and tradecraft from numerous threat reports on Akira, the operators have been known to\r\nleverage the same arsenal of tools time and time again, but may substitute some depending on the environment.\r\nThese can be broken down into the following categories:\r\nExternal Reconnaissance: Masscan and ReconFTW\r\nInternal Enumeration: PCHunter64, Advanced IP Scanner, LANsweeper, SharpHound, AdFind,\r\nSoftPerfect NetScan, and Windows Nltest\r\nCredential Theft: Minidump, Mimikatz, LaZagne, and DonPAPI\r\nhttps://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nPage 2 of 5\n\nPersistence: RMM tools, such as AnyDesk, RustDesk, Radmin, and ScreenConnect, as well as disabling\r\nfirewalls followed by enabling RDP, and PuTTy. The SystemBC crimeware RAT has also been used Akira.\r\nDefense Evasion: Disable EDR tools with Terminator.exe and ToolPow, as well as batch scripts for\r\ndisabling LSA Protection and Windows Defender\r\nLateral Movement: Impacket (wmiexec.py and atexec.py), RDP, and SSH\r\nCollection: Searching and downloading files from Microsoft SharePoint\r\nExfiltration: Compression tools (7zip, WinRAR, etc) as well as Rclone, FileZilla, and WinSCP\r\nCommand-and-control: Cloudflare Tunnel (Cloudflared), MobaXterm, and Ngrok\r\nImpact: Akira ransomware, usually launched via PsExec \r\nAfter the ransomware has been deployed and the data is stolen, Akira begins the negotiations. This includes\r\nrequesting the victim to visit Akira’s Green MS-DOS style Tor Negotiation site\r\n(akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id[.]onion) via the ransom note. And if the victim\r\nrefuses to pay the ransom, they are listed on Akira’s DLS (akiral2iz6a7qgd3ayp3l6yub7xx2\r\nuep76idk3u2kollpj5z3z636bad[.]onion).\r\nFigure 1: Akira's Negotiation Portal (left) and Data Leak Site (right)\r\nFinally, something to note about Akira’s DLS is that it does not actually host the stolen data like other ransomware\r\nTor DLSs. This gang has decided to use Magnet Links that require Torrenting software to download and view\r\nstolen data. This is a trend that other ransomware groups have followed, such as CL0P following the MOVEit\r\nbreaches earlier in 2023.\r\nhttps://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nPage 3 of 5\n\nFigure 2: Victim post on Akira's DLS with Magnet Links\r\nAkira's similarities with Conti\r\nNow, let’s lay all the evidence out and examine the similarities and overlaps between Conti and Akira. The main\r\nnotable links are as follows:\r\nTo start, both Conti and Akira are double extortion ransomware groups and Akira appeared almost a year\r\nafter Conti shut down its Tor DLS. Many of Akira’s victims are the same type as Conti’s, those being\r\nprimarily North American businesses. Plus, much like Conti, there are versions of Akira ransomware that\r\ncan target Windows domains or VMware ESXi hypervisors with Linux VMs.\r\nMalware analysts have noted several code similarities between Conti and Akira ransomware, such as the\r\nlist of file type and directory exclusions, the structure of the file tail, the implementation of ChaCha 2008,\r\nand the code for key generation.\r\nExamples of negotiation chats between Akira and their victims have also been made public. These logs\r\nrevealed that Akira operators use a script to begin negotiations just as Conti did, demonstrating behavioral\r\nsimilarity in campaign style and how they conduct operations.\r\nIn August 2021, a disgruntled member of Conti leaked the gang’s playbook for launching templated\r\nattacks. Conti created this playbook to scale up operations and launch ransomware attacks more frequently,\r\nearning them more money. Akira campaigns have followed a very similar set of TTPs as the Conti\r\nplaybook. The following tools used by Akira operators that are also mentioned in the Conti playbook\r\ninclude: Minidump, Mimikatz, AdFind, PChunter, PsExec, NetScan, Windows nltest, PuTTy, WinSCP,\r\nFileZilla, and AnyDesk.\r\nMalware that leads to Akira has also been commonly leveraged by Conti/Ryuk operators. The SystemBC\r\ncrimeware RAT has been used by Conti and Ryuk operators. Microsoft also highlighted that it a specific\r\noperator they track as DEV-0237 shifted to SystemBC from Cobalt Strike during Conti campaigns. The\r\nBumblebee loader and EXOTIC LILY that have reportedly provided access to Akira operators are also\r\nclosely associated with Conti campaigns.\r\nhttps://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nPage 4 of 5\n\nBlockchain analytics on Akira’s Bitcoin transactions by incident responders also revealed that on at least\r\nthree occasions, Akira operators have sent ransom funds to addresses affiliated with known Conti wallets.\r\nThese transactions also equalled more than 600,000 USD.\r\nBased on the evidence gathered about Akira, it is my assessment that the operators behind Akira ransomware are\r\nlinked to Conti with high confidence. The are numerous links at multiple levels, with a combination of technical\r\nand behavioral ties between the two groups.\r\nOne of the most telling connections is arguably the bitcoin transactions between Akira and known Conti wallets.\r\nThe lack of any serious blockchain obfuscation techniques, such as using a mixing service or chain hopping, has\r\nmade it trivial for investigators trace Akira ransom payments ultimately back to Conti with high confidence.\r\nEven without these Bitcoin transactions as damning evidence, there are clear similarities between Akira and Conti\r\nTTPs. However, due to the Conti ransomware source code getting leaked as well as the playbook getting leaked, it\r\nis possible for some threat actors to imitate Conti's success. But the fact Akira is sending funds back to Conti, does\r\nmake it seem they are almost certainly working with former Conti members (who are sanctioned).\r\nConclusion\r\nIf you are a victim of Akira and you are considering paying the ransom, you are potentially dealing with the\r\nsanctioned Russian men mentioned at the start of this blog. Paying the ransom is funding the Russia-based\r\norganized cybercrime syndicates that threaten our civil society and critical infrastructure. Think about that next\r\ntime a hospital is ransomed. Company executives at victim organizations need to realize that paying a sanctioned\r\nRussia-based cybercriminal group for a decryption key is hardly different from terrorist financing.\r\nSource: https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nhttps://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html" ], "report_names": [ "tracking-adversaries-akira-another.html" ], "threat_actors": [ { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b9df610a-2b02-460a-90be-62b982c38ce2", "created_at": "2024-06-19T02:03:08.111044Z", "updated_at": "2026-04-10T02:00:03.836764Z", "deleted_at": null, "main_name": "GOLD SAHARA", "aliases": [ "" ], "source_name": "Secureworks:GOLD SAHARA", "tools": [ "ADFind", "Advanced IP Scanner", "Akira", "AnyDesk", "LaZagne", "Level.io", "Logmein", "Mega", "Megazord", "Mimikatz", "PCHunter64", "PuTTy", "Rclone", "SoftPerfect Network Scanner", "WinRAR" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f00ba64f67850713f20e02a9a64f11bfd923f637.pdf", "text": "https://archive.orkl.eu/f00ba64f67850713f20e02a9a64f11bfd923f637.txt", "img": "https://archive.orkl.eu/f00ba64f67850713f20e02a9a64f11bfd923f637.jpg" } }