Ransomware group Akira exploits victims following IT provider breach – 60 and counting

After an attack on a yet-unknown IT provider, Akira has started extorting the victims of the breach. On Friday, Akira uploaded its first batch of 34 victims. Today, it’s uploaded another 26.

Here’s what we know about the victims so far:

• Three attacks appear to be confirmed/connected to breaches from 2024
• 37 victims are from the United States, four are from the United Kingdom
• 13 provide services (e.g. marketing agencies, cleaning services, electrical contractors), 10 are manufacturers, nine operate in the retail sector, and six are construction companies
• Three healthcare providers have also been breached as well as one medical device manufacturer

The three potentially confirmed attacks are:

• Arena Technical Resources, LLC (US): The employment agency issued data breach letters at the end of last year following a cyber attack that “locked” computer systems in August 2024. 2,502 are confirmed to have been affected.
• Idre Fjäll (Sweden): The ski resort notified customers of a data breach in September 2024 after a cybersecurity attack that same month.
• Constar Financial Services/Empereon Constar (US): Akira claimed an attack on Emperon Constar in July 2024. Data breach notifications were issued for Constar Financial Services following an attack on “the corporate computer
  environment of a partner company” (Empereon Constar). 8,578 people were affected by this breach.

Who is Akira?

Since it first emerged in March 2023, Akira has claimed over 500 victims in total. 107 of its claims have been confirmed.

Across these 107 attacks, nearly 800,000 records have been impacted. Its top five breaches are on education institutions, manufacturers, and service providers:

1. Edmonds School District, US – Hit in January 2023 with 145,844 people affected
2. Hospitality Staffing Solutions, US – Suffered an attack in June 2023 with 104,660 people affected
3. Nissan Australia – Targeted in December 2023 with 100,000 people impacted
4. Mercer University, US – Breached in February 2023 with 93,512 records involved in the attack
5. BHI Energy, US – 91,269 affected in a May 2023 breach

The large number of records breached highlights Akira’s frequent double-extortion tactics whereby a ransom is demanded 1) to decrypt systems and 2) to delete stolen data.

Over the last few months, Akira appears to have upped its claims. Of the 313 claims it made in 2024, 127 (41%) came through in November and December. So far this year, it’s also claimed 39 victims on top of the 60 mentioned above.

The only confirmed attack so far this year is on Laramie County Library System which occurred last month.

Ransomware on the rise?

Akira isn’t the only gang that appears to be upping the ante. Clop hasn’t yet released all of the victims involved in the Cleo software vulnerability (but has claimed 100 so far) and RansomHub continues to dominate with multiple victims added weekly (over 50 this year so far).

If we compare January 2025 to January 2024, the figures make for stark reading. Throughout 2024 we noted 63 confirmed and 213 unconfirmed attacks. Fast-forward to January 2025 and we logged 35 confirmed and 522 unconfirmed attacks — a 100 percent increase in total.

These latest Akira victims highlight the ongoing threat organizations face, not just within their own systems but through vulnerabilities exploited via third parties.