The Conscia CTI team analyzed publicly available screenshots of negotiations with the ransomware gang Akira, uncovering their sophisticated hacking tactics and extortion strategies. Ironically, these cases illustrate how victims sometimes pay criminals for “security services”—the very measures that could have prevented the breach.
This article examines the unsettling dynamics of ransomware negotiations and provides four actionable lessons to help organizations protect their systems, secure their data, and prevent ransomware gangs from exploiting them.
Disclaimer: Conscia is not affiliated with any entities mentioned and was not involved in the analyzed negotiations. The screenshots were obtained solely from publicly available information.
Ransomware is a devastating and evolving threat that forces organizations to navigate a precarious landscape of business continuity, reputational damage, and cybersecurity breaches. Ransomware attacks have increased by 13% over the past five years, with each incident costing an average of $1.85 million. By 2031, experts predict that a ransomware attack will occur every two seconds (multiple reports – source).
But it is not just volume and scale that are worrying. The Conscia Cyber Threat Intelligence (CTI) team detected an intriguing trend in ransomware negotiations: ransomware gangs not only extort victims for decryption and non-disclosure but also offer to reveal their intrusion methods and suggest security improvements. In addition, these gangs operate extremely tactically and sophisticatedly in the negotiations, with a clear objective of cornering their victims into paying the ransom.
The Conscia CTI team analyzed screenshots (source) of negotiations between the Akira ransomware gang and one of their victims. In this specific case, after first wreaking havoc, the Akira ransomware operators essentially provided a “pentest report” for $500,000. The negotiations revealed how criminals operate, their methods for breaching the victim`s IT environment, and the tactics they deploy to extort money.
In this article, we will analyze the negotiations and provide you with useful insights you can deploy so you don’t end up in the same conversation.
Akira’s “Professionalism” in Ransom Negotiations
The following paragraph shows screenshots of negotiations between the Akira ransomware gang and one of their victims. We listed them in chronological order. If they remind you of a chat with some ordinary corporate support operator, you are not wrong.
One striking aspect of Akira ransomware operators is their polished and almost professional approach to negotiations. As seen in the chat exchange, the operators mimic the tone and structure of a legitimate customer support team. Their interactions are polite, structured, and methodical, presenting a stark contrast to the malicious nature of their activities.
From providing detailed proof of possession of stolen files to delivering a breakdown of their “services” (decryption assistance, data deletion logs, and a security report), Akira projects an air of professionalism. They even emphasize efficiency and timely communication, urging the victim to “speed things up” to maintain goodwill with their “management.” The operators offer assurances about not publishing data and explain their breach methods with what can only be described as a mockery of transparency.
This veneer of professionalism is undoubtedly designed to manipulate victims into compliance, creating an illusion of reliability while masking their criminal intent. It’s an unsettling demonstration of how ransomware groups are evolving—not only in their technical sophistication but also in their psychological tactics to exploit trust and desperation.
Paying Criminals for Advice That Could Have Prevented the Breach
The chat transcript between Akira ransomware operators and their victim reveals a staggering reality.
After extensive back-and-forth, the victim agreed to pay $500,000 to prevent the publication of stolen data, a data deletion log, and even the “security report.”
It is important to keep in mind that this amount does not account for some additional potential breach-related costs that can be even a multiply of the initial ransom:
- Business Outages: Operational disruptions caused by encrypted files.
- Reputational Damage: Erosion of trust with customers and stakeholders.
- Compliance Penalties: Potential fines for mishandling sensitive data.
In this case, the victim also paid for post-breach recommendations, essentially a penetration testing report. Akira’s so-called “security report” included generic advice, such as implementing two-factor authentication (2FA), keeping software up to date, and conducting employee training.
This scenario underscores a painful irony: the organization found itself paying a criminal entity for insights that an ethical cybersecurity team could have delivered proactively, professionally, and at a fraction of the cost. Moreover, these measures might have prevented the breach in the first place.
To add to the irony, the recommendations provided were largely generic and basic, leaving questions about their actual value and effectiveness in future-proofing the organization against similar attacks.
How Akira Breached the Network: A Closer Look
In their post-payment “security report,” the Akira ransomware operators revealed the steps they took to infiltrate the victim’s network. This breakdown not only showcases their technical capabilities but also highlights common weaknesses that organizations fail to address. Here’s how Akira carried out their attack:
- Initial Access via the Dark Web: Akira began by purchasing initial access credentials on the dark web. These credentials are often obtained by other cybercriminals through phishing campaigns, credential-stuffing attacks, or malware infections. The operators did not disclose the specific source of the credentials but emphasized their acquisition as the starting point for the breach. This underscores the importance of monitoring the dark web for compromised credentials associated with your organization. To provide some context, according to the 2023 Verizon Data Breach Investigations Report, 86% of data breaches involve the use of stolen credentials.
- Kerberoasting and Password Hashes: Once inside the network, Akira employed a common post-exploitation technique called kerberoasting. This method exploits weaknesses in Kerberos authentication to extract password hashes from service accounts. These hashes, particularly for accounts with high privileges, are often poorly protected, providing attackers an entry point for lateral movement.
- Brute-Forcing the Domain Admin Account: After acquiring password hashes, Akira used brute-force techniques to crack them, successfully obtaining the credentials for a domain administrator account. This granted them unrestricted access to the network, allowing them to navigate laterally, access sensitive systems, and deploy ransomware payloads across endpoints.
- Weeks of Undetected Reconnaissance: With domain admin privileges, Akira spent weeks inside the victim’s network, conducting reconnaissance and identifying critical systems and valuable data. This extended dwell time allowed them to exfiltrate 560GB of sensitive data while mapping the organization’s network architecture to maximize the impact of their eventual ransomware deployment.
- Encryption and Data Exfiltration: Once the groundwork was complete, Akira simultaneously encrypted files across the network and exfiltrated data to their servers. The stolen data was used as leverage to pressure the victim into paying not just for decryption keys but also for guarantees against public disclosure.
- Post-Breach Recommendations: In a cynical twist, Akira provided a list of recommendations to improve the victim’s security posture, including the use of two-factor authentication (2FA), regular password changes, employee cybersecurity training, and backup solutions. These suggestions were rudimentary yet painfully ironic, as implementing them earlier could have thwarted the attack entirely.
A Legal (and Cost-Effective) Alternative: Ethical Red Team
One of the (sad) conclusions of this case is that the victim might have avoided the whole situation if they conducted a security test before with the help of a red team. Instead of overpaying for a similar (although less detailed) service to criminals after the breach.
A well-executed red team engagement, especially when combined with actionable Cyber Threat Intelligence (CTI), can help organizations identify and remediate vulnerabilities before attackers exploit them. Here’s how this approach compares to the Akira scenario:
- Proactive vs. Reactive: Unlike ransomware operators who exploit existing vulnerabilities, ethical red teams simulate adversarial tactics to uncover gaps before they are weaponized. This proactive approach ensures that vulnerabilities are addressed before they become entry points for attackers.
- Comprehensive Insights: Red teams deliver tailored, actionable findings aligned with your business context. This includes identifying technical vulnerabilities, potential attack vectors, and detailed remediation strategies. The insights not only protect critical systems but also help you understand the specific risks your organization faces.
- Cost-Effectiveness: A thorough red team engagement typically costs a fraction of a ransomware payout while also avoiding indirect costs such as business downtime, reputational damage, and potential regulatory penalties. Investing in these services upfront saves organizations from catastrophic financial and operational losses later.
- CTI Integration: Combining red team operations with CTI provides a dynamic advantage by identifying threats specific to your industry, geography, and even your organization’s digital footprint. CTI enhances the value of red teaming by delivering intelligence on emerging threats, active adversaries, and high-risk vulnerabilities, enabling defenses to be both reactive and anticipatory.
- Dark Web Monitoring with CTI: CTI also plays a critical role in tracking your organization’s presence on the dark web. For example, in the Akira case, the ransomware operators purchased initial access to the victim’s network from a dark web marketplace. A robust CTI program can monitor these platforms for mentions of your organization’s credentials, systems, or vulnerabilities being sold. This early warning system empowers organizations to act before attackers exploit their networks. Identifying and mitigating threats at this stage can be a game-changer, preventing breaches before they happen.
Lessons from the Akira Case
To prevent ransomware operators from exploiting your organization:
- Invest in Ethical Security Services: Red team engagements, penetration tests, and vulnerability assessments are essential for identifying weak points before attackers do.
- Leverage Cyber Threat Intelligence: Understanding the tactics and tools of adversaries like Akira ensures your defenses are aligned with emerging threats.
- Adopt a Zero-Trust Architecture: Implement strong authentication, limit lateral movement, and segment your network to reduce the blast radius of a potential breach.
- Cultivate a Security Culture: Regularly train employees on recognizing phishing attempts and adhering to security protocols. Human error remains the weakest link.
Reactive Cybersecurity Comes at a Very High Cost
The Akira case illustrates the high cost of reactive cybersecurity. Paying ransomware gangs for a “security report” post-breach is akin to shutting the stable door after the horse has bolted—while still being extorted for the privilege. Ethical red team engagements, combined with actionable Cyber Threat Intelligence (CTI), provide organizations with a preemptive shield against these threats, offering value and peace of mind without moral compromise.
When you work with legitimate and experienced security providers like Conscia, you’re not just securing red team or penetration testing services; you’re partnering with experts who offer Offensive Cybersecurity Services to identify vulnerabilities before they’re exploited and Brand Protection and Data Leakage Services to monitor and safeguard your organization’s digital presence, including tracking threats on the dark web.