The Akira ransomware group has added Russian firm GITIS S.r.l. to its growing list of alleged victims, claiming the theft of roughly 30GB of sensitive corporate data and threatening public release if ransom negotiations fail. The claim, surfaced through cybersecurity monitoring channels, marks another escalation in Akira's double-extortion campaign and an unusual public targeting of a Russian-linked entity.
What Happened
Akira operators posted GITIS S.r.l. to their leak infrastructure, asserting they had exfiltrated approximately 30GB of internal data from the company's systems. The post follows Akira's standard playbook: claim a breach, advertise stolen content, and pressure the victim into negotiation under the threat of full disclosure.
The disclosure landed alongside a separate Dutch law enforcement operation that reportedly seized nearly 800 servers tied to a hosting provider linked to sanctioned Russian and Belarusian entities. Both events underscore a volatile period for cybercrime infrastructure, with ransomware crews intensifying extortion tactics even as governments expand takedown operations.
GITIS has not publicly confirmed the intrusion at the time of reporting, and the data itself has not been independently verified.
What Was Taken
Akira claims the 30GB archive contains a broad cross-section of business-critical material, including:
- Employee personal information and HR records
- Financial documentation and accounting records
- Client databases and customer information
- Internal project files and proprietary work product
- Executed contracts
- Confidential non-disclosure agreements
The composition is consistent with Akira's typical exfiltration scope, which tends to prioritize documents that maximize reputational and legal pressure rather than purely technical assets.
Why It Matters
Akira has become one of the most consistently active ransomware brands of the past two years, and its targeting of a Russian-linked organization is notable. The Russian-speaking cybercrime ecosystem has historically observed an informal prohibition on hitting CIS-based targets; public victimization of Russian firms by Akira complicates that narrative and raises questions about the group's composition, affiliate structure, or willingness to ignore prior taboos.
For defenders, the case is a reminder that geographic assumptions about ransomware targeting are weakening. Affiliates rotate, brands splinter, and victim selection is increasingly driven by opportunity rather than ideology.
The Attack Technique
Initial access details for the GITIS incident have not been disclosed. However, Akira affiliates have historically relied on a consistent set of intrusion vectors:
- Compromise of VPN appliances lacking multifactor authentication, particularly Cisco ASA/AnyConnect devices
- Exploitation of known vulnerabilities in edge devices and remote access products
- Credential abuse sourced from infostealer logs and access brokers
- Rapid lateral movement via RDP and legitimate administrative tooling, followed by data staging and exfiltration prior to encryption
The double-extortion pattern, exfiltrate first, encrypt second, remains central to Akira's operations, with stolen data serving as the primary leverage point.
What Organizations Should Do
- Enforce phishing-resistant multifactor authentication on all VPN, remote access, and identity provider logins, with no exemptions for service accounts.
- Patch internet-facing appliances aggressively, prioritizing Cisco ASA, FortiGate, SonicWall, and similar edge devices frequently targeted by Akira affiliates.
- Monitor for large outbound data transfers and unusual use of tools such as Rclone, WinSCP, and MEGA clients, which are commonly leveraged for staging exfiltration.
- Segment networks to limit lateral movement, and restrict RDP and SMB traffic between user, server, and administrative zones.
- Maintain offline, immutable backups and routinely test full restoration, while recognizing that backups alone will not mitigate data-theft extortion.
- Rehearse a public-disclosure scenario with legal and communications teams so the organization can respond coherently if stolen data is leaked.