A newly identified ransomware campaign is targeting Windows users across South America, leveraging tactics that closely mimic the notorious Akira ransomware group.
According to ESET’s findings, the threat actors behind this campaign are attempting to exploit Akira’s reputation by replicating its branding, ransom notes, and dark web infrastructure references.
This includes the use of Tor-based URLs that resemble those used by the original Akira group, as well as similar wording and structure in the ransom messages delivered to victims.
Security researchers from ESET have uncovered the operation, noting that while the attack appears to be linked to Akira at first glance, it actually uses a modified encryptor based on the leaked Babuk ransomware source code.
The ransomware itself appends the “.akira” extension to encrypted files, further reinforcing the illusion that victims are dealing with the well-known Akira operation.
However, technical analysis reveals that the underlying encryption mechanism differs significantly.
Akira-Style Ransomware Campaign
Instead of using Akira’s original codebase, the attackers rely on a Babuk-derived encryptor, which has been widely reused by cybercriminals since its source code was leaked in 2021.
This reuse of Babuk code highlights a growing trend in the ransomware landscape, where threat actors repurpose existing malware frameworks to quickly launch new campaigns.
By combining Babuk’s encryption capabilities with Akira’s branding, the attackers increase their chances of intimidating victims into paying the ransom.
The campaign primarily targets organizations and individuals in South America, although the exact infection vector remains unclear.
Initial access may involve common techniques such as phishing emails, malicious attachments, or exploitation of unpatched vulnerabilities in Windows systems.
Once inside a network, the ransomware executes and begins encrypting files, followed by the deployment of a ransom note that instructs victims to contact the attackers via Tor.
ESET researchers emphasize that despite its appearance, this campaign is not directly linked to the original Akira ransomware group.
Instead, it represents an example of “brand impersonation” in cybercrime, where attackers deliberately imitate established ransomware operations to gain credibility and pressure victims.
Windows users urged to stay alert
This development underscores the importance of not relying solely on surface-level indicators when analyzing ransomware incidents.
Organizations should conduct thorough technical investigations to accurately identify the threat and determine the appropriate response.
To mitigate the risk of such attacks, security experts recommend keeping systems and software up to date, implementing strong endpoint protection, and maintaining regular offline backups.
User awareness also plays a critical role, as phishing remains one of the most common entry points for ransomware infections.
As ransomware tactics continue to evolve, the emergence of lookalike campaigns like this one demonstrates how cybercriminals are adapting their strategies to maximize impact while minimizing effort.
Security teams should remain vigilant and monitor for unusual file extensions, suspicious network activity, and unauthorized encryption processes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
