Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/New Akira Ransomware Clone Targets Windows Users in South America
Threats

New Akira Ransomware Clone Targets Windows Users in South America

Key Takeaways A novel ransomware campaign is actively targeting Windows users across South America. This new threat is a “lookalike” of the notorious Akira ransomware, meticulously...

David kimber
David kimber
April 2, 2026 3 Min Read
38 0

Key Takeaways

  • A novel ransomware campaign is actively targeting Windows users across South America.
  • This new threat is a “lookalike” of the notorious Akira ransomware, meticulously mimicking its ransom notes and file extensions.
  • Despite its Akira disguise, the underlying encryptor is based on the publicly leaked Babuk ransomware source code.
  • The campaign underscores a growing trend of ransomware groups expanding operations into South America and leveraging impersonation tactics to mislead victims and investigators.

Akira Impersonator Leverages Babuk Code in South American Ransomware Campaign

A sophisticated new ransomware operation has emerged, setting its sights on Windows systems within South America. This campaign is notable for its deliberate and convincing impersonation of the prominent Akira ransomware, a tactic designed to mislead victims and complicate attribution efforts.

Table Of Content

  • Key Takeaways
  • Akira Impersonator Leverages Babuk Code in South American Ransomware Campaign
  • Deception and Attribution Challenges
  • Geographic Shift and Trend of Impersonation
  • Inside the Babuk-Based Encryptor
  • What You Should Do

While the visual presentation, including ransom notes and file extensions, is nearly identical to Akira, cybersecurity researchers have uncovered that the underlying encryption mechanism is fundamentally different. This new threat secretly employs code derived from the Babuk ransomware family, whose source code was publicly leaked years ago.

Deception and Attribution Challenges

The campaign has raised significant concerns among cybersecurity experts due to the high fidelity of its Akira mimicry. Victims whose systems are compromised find their files encrypted and held hostage, accompanied by a ransom note that closely replicates Akira’s style. This includes matching Tor URLs for negotiation and similar phrasing, as detailed in a report by ESET Research analysts.

This deliberate deception aims to confuse not only the affected organizations but also experienced incident response teams, potentially delaying accurate identification of the true threat actor responsible for the attack. The use of a well-known ransomware’s branding allows the operators to capitalize on its reputation without direct affiliation with the original Akira group.

Geographic Shift and Trend of Impersonation

The focus on South American targets marks a significant geographical shift for ransomware campaigns. Historically, ransomware groups have concentrated their efforts on organizations in North America and Europe, where the perceived value of sensitive data and higher potential ransom payments offered greater profitability. This latest campaign suggests that threat actors are actively broadening their operational scope into South American markets, possibly using this lookalike strain as a testing ground for future, more extensive operations.

Furthermore, this incident aligns with a broader global trend of ransomware impersonation. Cybercriminals are increasingly adopting tactics that involve mimicking established ransomware brands to exploit the fear and brand recognition associated with those names. By cloaking their tools under the Akira moniker, the perpetrators of this campaign can leverage Akira’s notorious reputation without being directly tied to its developers or affiliates.

Inside the Babuk-Based Encryptor

At the heart of this deceptive campaign lies an encryptor built upon the source code of Babuk ransomware. The Babuk code, having been publicly leaked years ago, has become a readily available resource for various threat actors seeking to develop new ransomware variants with minimal development effort. In this particular instance, the operators adapted the leaked code and meticulously disguised it to emulate Akira.

This disguise includes appending the .akira file extension to encrypted files and crafting a ransom note that faithfully reproduces Akira’s known communication style, complete with dark web Tor-based links for victim negotiation. The effectiveness of this disguise lies in its seamless execution, making it challenging for victims and even security professionals to discern the true origin of the attack.

The ransom note presented to victims mirrors Akira’s formatting and language with sufficient accuracy to sow confusion. Victims are directed to Tor-based URLs that closely resemble those utilized by the authentic Akira group, which can lead organizations to misattribute the attack and potentially impede a swift and accurate response.

What You Should Do

  • Ensure all Windows operating systems and software are fully patched and updated to mitigate known vulnerabilities.
  • Implement robust network segmentation to contain potential ransomware spread and limit damage if an infection occurs.
  • Maintain regular, verified offline backups of critical data to enable recovery without resorting to ransom payments.
  • Security teams should actively monitor endpoints for unusual file extensions, particularly .akira, as an early indicator of compromise.
  • Exercise caution and conduct thorough forensic analysis before attributing ransomware attacks solely based on ransom note content, given the increasing prevalence of impersonation tactics.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwarePatchransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

CERT-UA Clone Site Spreads Go-Based RAT

Next Post

How Elite SOCs Reduce Escalations With Improved Tier 1 Threat Intelligence

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us