{ "id": "94802aa9-801d-40e7-b6f8-0957649fa1bc", "created_at": "2026-04-23T02:54:18.623579Z", "updated_at": "2026-04-25T02:18:56.09686Z", "deleted_at": null, "sha1_hash": "faf7b38a8314569506df5f529ebf076d1b96a8f0", "title": "Negotiations with the Akira ransomware group: an ill-advised approach - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33022, "plain_text": "Negotiations with the Akira ransomware group: an ill-advised\r\napproach - DataBreaches.Net\r\nPublished: 2025-05-05 · Archived: 2026-04-23 02:29:05 UTC\r\n@Chum1ng0 took a look at four victims of Akira and what happened in terms of negotiations or not. In\r\ntranslation:\r\nAfter a detailed analysis, we identified four chats from different companies that attempted to\r\ncommunicate with Akira after being attacked. Some of these companies were still listed as victims on\r\nthe group’s website. \r\nDays after the failed negotiations, in which no financial agreement was reached, data from these\r\ncompanies was published on the Akira leak site, hosted on the Dark Web—an unindexed part of the\r\ninternet, accessible only through specialized browsers like Tor, where cybercriminals often share stolen\r\ninformation.\r\nOf the four cases analyzed, three entities refused to negotiate, while only one made a\r\npayment in Bitcoin. \r\nBecause the responses of the four victims were different,  Chu’s post provides some insights as to how Akira may\r\nrespond to different negotiation strategies. As one example, Chu reports:\r\nThe fourth entity contacted Akira’s chat, requesting only the cost of payment to evaluate whether it\r\nwas more convenient than restoring its systems . Akira demanded a payment of $1,000,000 and\r\nspecified that if the funds were withdrawn from a bank account, the company should inform the bank\r\nthat the money was solely for investment purposes. The company responded that this was too much\r\nmoney and added that rebuilding all the data on a new system would only take two weeks , so it\r\nwould not pay more than $50,000. \r\nThe blackmail continued with Akira, who threatened to publish 22.5 GB of information on his\r\nblog. Upon verification, we found that the entity has not yet been published on the blog .\r\nRead more at security-chu.com.\r\nSource: https://databreaches.net/2025/05/05/negotiations-with-the-akira-ransomware-group-an-ill-advised-approach/\r\nhttps://databreaches.net/2025/05/05/negotiations-with-the-akira-ransomware-group-an-ill-advised-approach/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://databreaches.net/2025/05/05/negotiations-with-the-akira-ransomware-group-an-ill-advised-approach/" ], "report_names": [ "negotiations-with-the-akira-ransomware-group-an-ill-advised-approach" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-25T02:00:03.466966Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-25T02:00:04.094204Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1776912858, "ts_updated_at": 1777083536, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/faf7b38a8314569506df5f529ebf076d1b96a8f0.pdf", "text": "https://archive.orkl.eu/faf7b38a8314569506df5f529ebf076d1b96a8f0.txt", "img": "https://archive.orkl.eu/faf7b38a8314569506df5f529ebf076d1b96a8f0.jpg" } }