Emergence of Akira-Imitating Ransomware Targets Windows Users in South America
A new ransomware campaign has emerged in South America, targeting Windows users with a strain that closely mimics the notorious Akira ransomware. Despite its similar appearance, this malware is built upon a different foundation, utilizing code from the Babuk ransomware family to execute its attacks.
Cybersecurity researchers from ESET have identified this campaign, noting that the threat actors employ a Babuk-based encryptor that appends the `.akira` extension to encrypted files. The ransom notes left behind are nearly identical to those used by Akira, including matching Tor URLs and similar language, aiming to deceive victims and investigators into misattributing the attacks.
The Babuk ransomware, whose source code was leaked publicly in 2021, has been repurposed by various cybercriminals to develop new ransomware variants with minimal effort. In this instance, the attackers have rebranded the Babuk encryptor to resemble Akira, leveraging its established notoriety to enhance the credibility of their demands.
This campaign signifies a strategic shift in ransomware targeting, as threat actors expand their focus to South American regions. Historically, ransomware groups have concentrated on North American and European organizations, where the potential for higher ransom payments is greater. The move to South America suggests that cybercriminals are exploring new markets, possibly testing their tactics before launching more extensive operations elsewhere.
The timing of this campaign aligns with a broader trend of ransomware impersonation, where cybercriminals adopt the guise of well-known ransomware brands to exploit their established reputations. By masquerading as Akira, the operators of this campaign aim to instill fear and urgency in their victims, increasing the likelihood of ransom payments.
