New Akira Ransomware Clone Targets Windows Users in South America
Key Takeaways A novel ransomware campaign is actively targeting Windows users across South America. This new threat is a “lookalike” of the notorious Akira ransomware, meticulously...
Key Takeaways
- A novel ransomware campaign is actively targeting Windows users across South America.
- This new threat is a “lookalike” of the notorious Akira ransomware, meticulously mimicking its ransom notes and file extensions.
- Despite its Akira disguise, the underlying encryptor is based on the publicly leaked Babuk ransomware source code.
- The campaign underscores a growing trend of ransomware groups expanding operations into South America and leveraging impersonation tactics to mislead victims and investigators.
Akira Impersonator Leverages Babuk Code in South American Ransomware Campaign
A sophisticated new ransomware operation has emerged, setting its sights on Windows systems within South America. This campaign is notable for its deliberate and convincing impersonation of the prominent Akira ransomware, a tactic designed to mislead victims and complicate attribution efforts.
Table Of Content
While the visual presentation, including ransom notes and file extensions, is nearly identical to Akira, cybersecurity researchers have uncovered that the underlying encryption mechanism is fundamentally different. This new threat secretly employs code derived from the Babuk ransomware family, whose source code was publicly leaked years ago.
Deception and Attribution Challenges
The campaign has raised significant concerns among cybersecurity experts due to the high fidelity of its Akira mimicry. Victims whose systems are compromised find their files encrypted and held hostage, accompanied by a ransom note that closely replicates Akira’s style. This includes matching Tor URLs for negotiation and similar phrasing, as detailed in a report by ESET Research analysts.
This deliberate deception aims to confuse not only the affected organizations but also experienced incident response teams, potentially delaying accurate identification of the true threat actor responsible for the attack. The use of a well-known ransomware’s branding allows the operators to capitalize on its reputation without direct affiliation with the original Akira group.
Geographic Shift and Trend of Impersonation
The focus on South American targets marks a significant geographical shift for ransomware campaigns. Historically, ransomware groups have concentrated their efforts on organizations in North America and Europe, where the perceived value of sensitive data and higher potential ransom payments offered greater profitability. This latest campaign suggests that threat actors are actively broadening their operational scope into South American markets, possibly using this lookalike strain as a testing ground for future, more extensive operations.
Furthermore, this incident aligns with a broader global trend of ransomware impersonation. Cybercriminals are increasingly adopting tactics that involve mimicking established ransomware brands to exploit the fear and brand recognition associated with those names. By cloaking their tools under the Akira moniker, the perpetrators of this campaign can leverage Akira’s notorious reputation without being directly tied to its developers or affiliates.
Inside the Babuk-Based Encryptor
At the heart of this deceptive campaign lies an encryptor built upon the source code of Babuk ransomware. The Babuk code, having been publicly leaked years ago, has become a readily available resource for various threat actors seeking to develop new ransomware variants with minimal development effort. In this particular instance, the operators adapted the leaked code and meticulously disguised it to emulate Akira.
This disguise includes appending the .akira file extension to encrypted files and crafting a ransom note that faithfully reproduces Akira’s known communication style, complete with dark web Tor-based links for victim negotiation. The effectiveness of this disguise lies in its seamless execution, making it challenging for victims and even security professionals to discern the true origin of the attack.
The ransom note presented to victims mirrors Akira’s formatting and language with sufficient accuracy to sow confusion. Victims are directed to Tor-based URLs that closely resemble those utilized by the authentic Akira group, which can lead organizations to misattribute the attack and potentially impede a swift and accurate response.
What You Should Do
- Ensure all Windows operating systems and software are fully patched and updated to mitigate known vulnerabilities.
- Implement robust network segmentation to contain potential ransomware spread and limit damage if an infection occurs.
- Maintain regular, verified offline backups of critical data to enable recovery without resorting to ransom payments.
- Security teams should actively monitor endpoints for unusual file extensions, particularly
.akira, as an early indicator of compromise. - Exercise caution and conduct thorough forensic analysis before attributing ransomware attacks solely based on ransom note content, given the increasing prevalence of impersonation tactics.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.