In a recent blog post by Arctic Wolf titled “Conti and Akira: Chained Together”, the authors delve into the connections between the Conti and Akira ransomware groups. The article provides a comprehensive analysis of the two groups, their tactics, and the implications of their activities.
Since March 2023, the Akira ransomware group has compromised at least 63 victims, with approximately 80% of them being small to medium-sized businesses (SMBs). The group is assessed to be opportunistic due to their victimology and negotiation tactics. Interestingly, through blockchain analysis, the authors found that some Conti-affiliated threat actors are linked to the Akira ransomware group. This connection is significant because, since the fallout of Conti ransomware in mid-2022, Conti-affiliated threat actors have splintered off and developed or joined other ransomware groups to continue extorting victim organizations.
The article also provides a detailed breakdown of the tools used by Akira, the similarities between Conti and Akira’s ransomware code, and the blockchain transactions between the two groups. The authors conclude that tracking ransom payments to Akira allowed them to identify transactions to Conti-affiliated addresses, thereby tying the two groups together.
This analysis raises important questions about the future of cyber threat attribution. With the leakage of Conti’s source code, attributing activities back to the original group has become more challenging. This could potentially be the start of a wider trend where threat actors leverage existing code bases to develop or modify their own, making attribution even more complex.
Further Reading
- “Blockchain data shows Conti gang tied to Akira and spate of ransomware attacks” by SC Media
- “Report reveals new information about Akira Group connection to Conti” by Security Magazine
- “Akira ransomware compromised at least 63 victims since March, report says” by The Record
- “Akira Ransomware Unleashing Chaos using Conti Leaks” by K7 Labs