#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content.
The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira).
The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS.
Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims.
IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
https://akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion