A new ransomware campaign is actively targeting Windows users across South America, employing a deceptive tactic by mimicking the well-known Akira ransomware. This sophisticated threat, however, is not directly affiliated with the original Akira group. Instead, cybersecurity researchers have identified its core encryptor as being based on the publically leaked Babuk ransomware source code, raising significant alarms about the evolving landscape of cybercrime.
ESET Research analysts brought attention to this campaign, noting that the ransomware appends the “.akira” extension to encrypted files and presents victims with a ransom note that closely resembles Akira’s in both content and the Tor URLs provided for communication. This deliberate impersonation is designed to sow confusion and potentially mislead both victims and cybersecurity professionals, complicating incident response efforts and obscuring the true identity of the attackers.
New Akira Lookalike Ransomware Campaign Targets South America
The discovery of this Akira lookalike ransomware campaign highlights a concerning trend of threat actors leveraging existing ransomware families and elaborate deception techniques to expand their operations. The campaign’s focus on South America is also noteworthy, suggesting a strategic geographical expansion by cybercriminals who historically concentrated their efforts on North American and European targets.
By adopting the guise of Akira, the attackers aim to capitalize on the fear and recognition associated with a known ransomware brand. This allows them to potentially increase the likelihood of ransom payments by exploiting the psychological impact of a familiar threat, even though the underlying malware is distinct.
The Babuk-based encryptor powering this campaign is a significant detail. Babuk’s source code became available publicly several years ago, leading to its widespread adoption and modification by various threat actors. This has allowed less sophisticated groups to quickly deploy functional ransomware by building upon the leaked code, often with some level of customization.
ESET Research’s analysis confirmed that this specific campaign utilizes a Babuk encryptor modified to align with the Akira persona. The “.akira” file extension and the meticulously crafted ransom notes, which mimic Akira’s communication style and Tor URLs, are key indicators of this impersonation strategy. This approach aims to create a convincing illusion for victims, potentially delaying proper threat identification and response.
Geographical Shift and Impersonation Tactics
The targeting of South America marks a departure from the typical geographical focus of many ransomware operations. Historically, organizations in North America and Europe have been primary targets due to perceived higher levels of data sensitivity and a greater willingness to pay ransoms. The shift towards South America could indicate an attempt to find less defended targets or exploit new market opportunities.
This campaign also exemplifies the growing trend of ransomware impersonation. Threat actors are increasingly aware that aligning their attacks with established ransomware brands can enhance their effectiveness. By adopting the Akira name, the operators are not necessarily directly linked to the original Akira group but rather benefit from its notoriety.
Behind the Babuk-Based Encryptor
The technical underpinnings of this threat reveal its reliance on the Babuk ransomware. The leak of Babuk’s source code provided a foundation for numerous ransomware variants, allowing attackers to deploy encryption capabilities with relative ease. In this instance, the threat actor has built upon this foundation, adding the “.akira” file extension and a convincing ransom note to create a distinct, yet familiar, threat.
The ransom note itself is a critical element of the deception. By replicating the formatting, language, and even the Tor URLs associated with the Akira group, the note aims to misdirect victims into believing they are dealing with the original threat actor. This can lead to misattribution of the attack and costly delays in initiating the correct incident response protocols.
Organizations in South America and globally are advised to bolster their cybersecurity defenses. This includes ensuring all Windows systems are consistently patched and updated, implementing robust network segmentation to limit the spread of ransomware, and maintaining regular, offline backups that can be used for recovery without succumbing to ransom demands. Security teams should also be vigilant for unusual file extensions, such as “.akira,” as an early indicator of infection. It is crucial to avoid making attack attributions solely based on ransom note content, as this campaign demonstrates the effectiveness of sophisticated impersonation tactics.