On May 22, 2026, the Akira ransomware group claimed responsibility for a cyberattack against the Buffalo Niagara Convention Center (buffaloconvention.com), one of the leading event venues in the northeastern United States. The threat actors have threatened to publish 46GB of stolen corporate data, including personally identifiable information belonging to roughly 180,000 clients and partners, unless ransom demands are met.
What Happened
Akira added Buffalo Niagara Convention Center to its dark web leak site on May 22, 2026, publicly naming the venue as a victim and signaling that exfiltration had already taken place. According to the group's statement, attackers maintained access long enough to copy out a substantial volume of internal records before listing the organization for extortion. The convention center has not yet issued a public statement at the time of this brief, but the listing follows Akira's standard double-extortion playbook: encrypt operational systems, threaten data publication, and pressure leadership toward payment under a public countdown.
What Was Taken
Akira claims to hold 46GB of corporate data lifted from the convention center's environment. According to the threat actor's own description, the haul includes:
- Employee personal information, including passports and driver's licenses
- Personal data on approximately 180,000 clients and partners
- Contracts and agreements with vendors and event partners
- Financial records and accounting documents
- Internal project files and operational documentation
The combination of identity documents, customer PII, and contractual records creates significant downstream risk: identity fraud against staff and attendees, business email compromise against partner organizations referenced in contracts, and regulatory exposure under state breach notification laws.
Why It Matters
Convention centers and event venues are increasingly attractive targets for ransomware crews because they sit at the intersection of high-volume customer data, complex partner ecosystems, and tight operational timelines. A venue cannot afford prolonged downtime when conferences, trade shows, and weddings are booked months in advance, which raises pressure to pay. The Buffalo Niagara listing also reinforces Akira's continued focus on mid-market North American organizations. Since emerging in 2023, the group has consistently selected victims with enough revenue to pay, but without the mature security programs typical of Fortune 500 firms. Event venues, municipalities, manufacturers, and regional healthcare providers continue to fit that profile.
The Attack Technique
Akira has not disclosed the specific intrusion vector used against the convention center, and no independent forensic detail has been published. However, the group's tradecraft is well documented across prior incidents. Akira affiliates routinely gain initial access through compromised VPN appliances lacking multi factor authentication, exploitation of unpatched Cisco ASA and SonicWall edge devices, and purchase of valid credentials from infostealer log markets. Once inside, operators typically deploy tools such as AnyDesk and RustDesk for persistence, use Advanced IP Scanner and SoftPerfect Network Scanner for discovery, and rely on WinRAR or Rclone to stage and exfiltrate data to attacker controlled cloud storage before detonating the ransomware payload.
What Organizations Should Do
Defenders in the hospitality, events, and convention sector should treat this disclosure as an active threat signal and prioritize the following actions:
- Audit all remote access infrastructure, particularly VPN concentrators and firewalls, and confirm MFA is enforced on every external authentication path.
- Hunt for known Akira indicators across endpoints, including unusual AnyDesk or RustDesk installations, scheduled tasks invoking Rclone, and outbound traffic to mega.nz or similar bulk storage services.
- Verify that backups are offline, immutable, and recently tested through full restore exercises rather than file level spot checks.
- Monitor infostealer marketplaces and dark web forums for credentials tied to corporate domains, and force rotation on any exposed accounts.
- Conduct tabletop exercises with legal, communications, and executive leadership focused specifically on double extortion scenarios and data leak response.
- Review third party contracts and shared data inventories to understand exposure if partner records are published, and prepare downstream notification workflows.
Sources: Akira Ransomware Strikes Buffalo Niagara Convention Center - DeXpose