A dangerous new strain of ransomware has only been active for roughly two months, and it’s already making headlines.

Not to be confused with a ransomware variation of the same name that began in 2017, this new (and unrelated) strain of ransomware called ‘Akira’ is causing waves for two reasons. Firstly, it’s extorting from a variety of different sectors – and secondly, it operates a data leak site.

Speaking of which, their leak site claims that Akira ransomware has already targeted the finance, real estate, manufacturing and even child daycare center industries.

Targeting a children’s daycare center might seem extreme, but that’s not necessarily what is going on here. It’s very likely that the daycare center wasn’t specifically targeted by Akira ransomware, rather just ended up being an unsuspecting victim. Ransomware gangs typically don’t care who the victim of their attacks are, as long as they’re getting paid.

Akira works by exfiltrating data from a targets network. Once they feel like they have enough stolen data to effectively carry out their attack, they begin the encryption process and proceed with their demand for ransom.

Before encryption, Akira will delete Windows Shadow Value Copies from devices by running a PowerShell command. Afterwards, it begins encrypting data files and appends them with “.akira”.

The ransomware note that is left from Akira is placed into each folder that is encrypted during the attack. Part of the note reads:

"Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal."

It continues by offering a “security report”:

"The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data."

The ransomware note even threatens you if you decide not to pay the ransom:

"We will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog.”

It is said that Akira ransoms usually range between $200,000 to millions of dollars.

Story via Tripwire