Situation: Ankura Cyber Threat Intelligence & Expert Services (CTIX) team researchers observed the Akira Ransomware-as-a-Service (RaaS) group exhibiting unusual behavior in their post-ransomware procedures. Typically, when victims decide not to pay a ransom demand, their company name and data are swiftly posted on the Akira leak site; the victims are typically named first in what’s known as a “name & shame” technique as a last-ditch effort to get the victim to pay the ransom, and data publication follows if this doesn’t work. Starting at the end of October 2025, the CTIX team observed that the average interval between a victim's name being listed and their data being published was approximately ten (10) days, with extensively longer delays being observed through the month of November and into the early days of December. This anomaly was confirmed by other threat intelligence partners, and CTIX linked the longer periods to external factors, including the intensified Russian bombing campaign in Ukraine.
Task: CTIX set out to analyze and understand the reasons behind these extended delays in victim data postings by the Akira group, especially throughout the month of November 2025. The CTIX team aimed to determine if these delays were temporary, watch for changes to the data publication cadence, as well as to predict future trends in Akira's operations to forecast when victims might expect their data to be published during this period of prolonged intervals.
Action: The CTIX team conducted a comprehensive breakdown of the trends displayed by the Akira group. They noted that delays could be attributed to the group's operations being overwhelmed by surges in victim numbers following a spree of attacks. Additionally, RaaS operations could be executed by one of potentially hundreds of affiliates whose activity also plays a factor in the core Akira group's business. The delays in posting could be a result of the affiliates who facilitated the attack versus the core Akira members themselves. While the frequency of victims listed on the Akira leak site was on par with the group’s typical cadence (where victims were continuously named daily), the number whose data was published dwindled. The CTIX team collaborated with industry partners to validate these observations and shared insights with affected clients.
Result: Following the analysis, the CTIX team predicted that Akira's operational behavior would normalize, with delays shrinking and returning to typical, more predictable publication rates following a victim’s name listing. It should be noted that Akira experiences periods where they appear overwhelmed by surges in victims (a common point of friction that comes with RaaS operations), resulting in somewhat of a bottleneck, displaying periods of longer delays between name listings and actual data publications. At other times, listings and data postings may happen in shorter intervals – upticks and downticks in overall activity, as well as speeds at which these processes occur, are also part of the nature of RaaS operations. Another discovery during the period of this study was that there were instances where Akira seemingly "forgot" about an occasional victim altogether and never listed them after a successful ransom attack where no ransom payment was made. No specific cause has been identified for why this activity occurred, but such an occurrence should be considered rare. CTIX's insights helped clients navigate these trends and prepare for future actions as they relate to the clients’ business operations.
Additional Information: The Ankura CTIX and Incident Response (IR) teams have assisted multiple clients compromised by Akira and other threat actors, offering services that include post-breach IR services, Cyber Threat Intelligence (CTI), and post-breach data downloads and analysis.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
