cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Skilled hackers are on the move from LockBit to Akira

The Akira ransomware gang is enjoying an influx of “pen-testers”, according to a security researcher’s report.

user icon David Hollingworth
Thu, 14 Mar 2024
Skilled hackers are on the move from LockBit to Akira
expand image

Infamous ransomware-as-a-service operation LockBit may still be in operation, but it appears last month’s takedown of the gang by an international law enforcement action may have some impact after all.

According to a security researcher at threat intelligence firm RedSense, skilled hackers linked to the Zeon group are now moving away from affiliating with LockBit.

Unfortunately, it appears they’re moving to the Akira ransomware group.


“The LockBit takedown had a major impact on Zeon, which is now moving its pen-testers to work primarily for the Akira brand,” said Yelisey Bohuslavskiy, chief research officer at RedSense, in a LinkedIn post.

“This will result in an increase in attacks from this group. At the same time, it will also result in increased sophistication of locker deployment.”

The Zeon group is one of many to form after the Conti ransomware group disbanded following Russia’s invasion of Ukraine. Akira had close ties to Conti and still uses a locker based on Conti’s code, the Ryuk locker.

According to Bohuslavskiy, Zeon had been working with both Akira and LockBit, particularly the latter.

“In December, we obtained credible primary source intelligence directly related to post-Ryuk leadership, indicating that Zeon is operating as a group of elite pen-testers for both Akira and LockBit, with the latter being their main focus,” Bohuslavskiy said.

“Zeon provided pen-testers for big game hunting and their elite expertise in call-back phishing and call centre operations. In response, Akira and LockBit offered funds and their blogs/brands.”

Ransomware gangs often refer to themselves as pen-testers – a fig leaf to cover the fact they are just simply criminals.

Akira has been a frequent presence in Cyber Daily’s weekly ransomware report, making it into the top 10 most active ransomware groups for two out of the last three reports. With Bohuslavskiy’s report, we can now expect to see more of the gang – and the highly skilled Zeon group – in the future.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.