Akira is a ransomware group (ransomware-as-a-service) that is gaining an increasing reputation in the ransomware community, and its dark web leak site has this month set a record for the number of new victims published, with more victims being added. To investigate, "ODN" attempted to access Akira's dark web leak site.
The V3 address of Akira's dark web leak site is:
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
Akira Group's Dark Web Site
Akira's dark web leak site, named after the Japanese cyberpunk manga, features a style reminiscent of the monochrome command-line interfaces popular in the 1980s. "ODN" notes that the site's aesthetic is similar to the interface of the "Vanir Group's" dark web leak site, designed to look like a Linux terminal with a black background and green text, functioning much like a terminal, appearing as if a user is accessing a Linux terminal (guest@akira:~$).
Upon opening Akira's dark web site, like other ransomware groups' sites, a warning text is immediately visible:
Well, you are here. It means that you're suffering from cyber incident right now. Think of our actio
ns as an unscheduled forced audit of your network for vulnerabilities. Keep in mind that there is a
fair price to make it all go away.
Do not rush to assess what is happening - we did it to you. The best thing you can do is to follow o
ur instructions to get back to your daily routine, by cooperating with us you will minimize the dama
ge that might be done.
Those who choose different path will be shamed here publicly. The functionality of this blog is extr
emely simple - enter the desired command in the input line and enjoy the juiciest information that c
orporations around the world wanted to stay confidential.
Remember. You are unable to recover without our help. Your data is already gone and cannot be traced
to the place of final storage nor deleted by anyone besides us.
In Akira's pseudo-terminal on the website, five commands can be entered:
- Inputting "help" or similar commands will show a list of all commands.
- Inputting the "leaks" command allows viewing all compromised victim information.
- Inputting the "news" command shows news about data soon to be released.
- Inputting the "contact" command allows sending messages to the Akira group.
- Inputting the "clear" command clears the current screen display.
From this, it appears Akira's dark web leak site primarily contains three functions:
- A "News" function (/n) used to extort recent victims.
- A "Leaks" function (/l) used to publish data if extortion fails.
- A "Contact" function (/m) for communication with the ransomware group.
The contact function allows submissions via "email/icq/jabber/tox id/telegram," indicating these are the methods the ransomware group uses for contact.
Akira Ransomware Group Releases a Large Number of Victim Details
This site (ondarknet.com) tested the "news" command and found that over approximately one and a half years from April 25, 2023, to November 20, 2024, the Akira ransomware group posted information on 319 victims, detailing what data was leaked; upon entering the "leaks" command, statistics show 128 victims had their data publicly leaked. Therefore, "ODN" concludes that aside from those still in the ransom negotiation phase, perhaps hundreds have already paid the ransom.
The FBI reported that the Akira ransomware group emerged in March 2023, providing a platform for hackers to extort victims by stealing and encrypting data. The FBI stated that in its first year of operation, Akira earned $42 million from around 250 attacks.
The group, shortly after appearing, conducted numerous cyberattacks, leading experts to believe it was composed of experienced ransomware attackers. Last year, it launched a series of attacks, including one on the cloud hosting service provider Tietoevry.
Ransomware groups usually give victims a few days or weeks to pay the ransom before publishing the stolen data, depending on the negotiation outcomes. Akira's dark web leak site posted less data than usual from August to October, leading to a sudden surge in listings in November for reasons that could include an increase in new affiliates using the dark web site to extort victims or the Akira administrators choosing to withhold previous leaks.
Most of the new victims come from the business services sector with headquarters in the United States, along with two companies headquartered in Canada, others from Germany, the UK, and elsewhere. "ODN" compared the names and URLs of these victims with all victims tracked over the past years from various ransomware groups, confirming these are first-time victims.
Earlier this year, LockBit published a similar number of victim details in an attempt to downplay its being hit by law enforcement, stating, "after its old site was seized, it mixed old victim information with new victims."
According to the UK's National Crime Agency, many of the victims listed by LockBit were reposts of old attacks, while others were either fake or mistakenly attributed attacks, which were claimed to have affected a large enterprise when in fact, they only impacted a very small subsidiary.