Cyber Security

Akira Ransomware Strikes Again: Apache OpenOffice Breached, 23GB Data Stolen

- by Ansari Alfaiz
A cybersecurity alert graphic showing the Akira ransomware logo next to the Apache OpenOffice logo with the text "23GB Data Stolen".

On October 29, 2025, the notorious Akira ransomware group added a new trophy to its dark web leak site: Apache OpenOffice, the popular open-source office suite used by millions worldwide. The group claims to have exfiltrated 23 gigabytes of sensitive data, marking a significant and alarming escalation in their campaign against high-profile software projects.radar.offseq+1

As a threat intelligence analyst who has been tracking Akira for the past 18 months, this move, while audacious, is not surprising. Since emerging in early 2023, Akira has become one of the most aggressive and sophisticated ransomware-as-a-service (RaaS) operations, consistently targeting organizations that would cause maximum disruption and reputational damage. This latest claim against a cornerstone of the open-source community is a serious wake-up call.

What Was Stolen in the Apache OpenOffice Breach?

According to the post on their leak site, the Akira group claims to have stolen a 23GB data trove. While the full data has not yet been published—a common tactic used to apply pressure during ransom negotiations—the group’s statement provides a chilling overview of the potential contents.dexpose

Allegedly Exfiltrated Data Includes:

  • Corporate Documents: Confidential internal files and project roadmaps.
  • Employee Information: A wide range of PII, including addresses, phone numbers, driver’s licenses, and social security cards.
  • Financial Information: Internal financial records and potentially credit card information.
  • Source Code & Application Reports: Internal reports about application problems and potentially parts of the OpenOffice source code.

At this time, the Apache Software Foundation has not publicly confirmed the breach. However, the specificity of Akira’s claims suggests they are confident in the data they possess.

Who is Akira Ransomware? A Profile of the Threat

Akira is not a newcomer to the ransomware scene. Operating a Ransomware-as-a-Service (RaaS) model, they provide their malware and infrastructure to affiliates who carry out attacks in exchange for a cut of the profits. This model has allowed them to scale their operations rapidly.cyberint

Akira Ransomware Profile
Active SinceMarch 2023
Primary TacticDouble-Extortion (Encrypt + Data Leak)
Typical Initial AccessCompromised VPN credentials (especially targeting Cisco VPNs without MFA) trendmicro
Known Victims (2024-2025)Major financial firms, healthcare providers, and manufacturing companies
Estimated Ransoms$200,000 to over $4 million

“Since March 2023, Akira has compromised over 350 organizations, employing a double-extortion strategy by stealing sensitive data before encrypting it.” – CyberInt Threat Researchcyberint

Their signature is a blend of modern tactics with a retro, text-based dark web leak site. They are known for their efficiency and ruthlessness, quickly moving from initial breach to full encryption. A comprehensive understanding of their methods is essential for defense, similar to understanding other major threats like the Qilin ransomware group.

The Typical Akira Attack Chain

Based on dozens of incidents we’ve analyzed, Akira follows a well-defined attack chain:

  1. Initial Access: The group often gains entry by exploiting weak or compromised VPN credentials, particularly those without multi-factor authentication (MFA). They are known to purchase valid credentials from dark web markets.trendmicro
  2. Lateral Movement & Discovery: Once inside, they use legitimate tools like Advanced IP Scanner and AdFind to map the network. They use techniques like “pass-the-hash” to move from system to system, escalating their privileges until they gain control of a domain controller.barracuda
  3. Defense Evasion: Akira operators are skilled at disabling security software. They use tools like PowerTool to terminate antivirus and EDR processes, allowing them to operate undetected.trendmicro
  4. Data Exfiltration: Before deploying the ransomware, they identify and exfiltrate large volumes of sensitive data to their own servers. This is the “double-extortion” leverage.
  5. Encryption: In the final stage, they deploy their ransomware payload, encrypting files across the network and appending the .akira extension.

This methodical approach highlights the need for a robust Incident Response Framework that can detect and react to each stage of the attack.

Why Target Apache OpenOffice?

Attacking a globally recognized open-source project like OpenOffice serves multiple purposes for a group like Akira:

  • Symbolic Value: It’s a high-profile target that generates significant media attention, boosting their notoriety.
  • Data Value: Access to source code, developer communications, and internal bug reports can be extremely valuable, either for finding new vulnerabilities or for selling to other threat actors.
  • Supply Chain Risk: A compromise of the source code repository could, in a worst-case scenario, lead to a future supply chain attack where a malicious version of OpenOffice is distributed to millions of users. This elevates the risk profile significantly, touching on principles from Third-Party Cyber Risk Management.

What Does This Mean for Users and Enterprises?

  • For Individual Users: At this time, there is no evidence that user devices have been directly compromised. The primary risk would come from a future, malicious update to the software. Users should be extremely cautious and only download updates from the official Apache OpenOffice website.
  • For Enterprises: Any organization that uses Apache OpenOffice should be on high alert. Monitor network traffic from any device running OpenOffice for unusual outbound connections. Given that the project has seen fewer updates compared to its more active fork, LibreOffice, this may be a catalyst for security-conscious organizations to re-evaluate their choice of office suite.

The Bigger Picture: Open-Source Software Under Siege

This attack is part of a disturbing trend. Open-source projects, often maintained by volunteers or under-resourced foundations, are becoming prime targets. The Log4j crisis was a clear demonstration of how a single vulnerability in a widely-used open-source library can create a global cybersecurity firestorm.

Unlike large corporations, many open-source projects lack the funding for dedicated security teams, bug bounty programs, and extensive security audits. This makes them attractive targets for groups like Akira.

Conclusion

The Akira ransomware attack on Apache OpenOffice is a stark reminder that no target is off-limits. It is a wake-up call for the entire open-source community that security cannot be an afterthought when millions of users and thousands of businesses depend on these projects. As this situation develops, organizations must remain vigilant and refer to a comprehensive Ransomware Survival Guide to ensure they are prepared for this evolving threat landscape.

Frequently Asked Questions (FAQs)

  1. Who is the Akira ransomware group?
    Akira is a Ransomware-as-a-Service (RaaS) group active since 2023, known for sophisticated double-extortion attacks targeting a wide range of industries.cyberint
  2. What data was allegedly stolen from Apache OpenOffice?
    Akira claims to have stolen 23GB of data, including source code, internal communications, employee PII, and financial records.dexpose
  3. Are individual users of Apache OpenOffice at risk?
    Currently, there is no direct risk to users’ machines. The primary concern is the potential for a future supply chain attack if the source code was compromised. Users should be cautious with updates.
  4. What is double-extortion ransomware?
    This is a two-stage attack where criminals first steal a victim’s sensitive data (exfiltration) and then encrypt their files. They then threaten to leak the stolen data online if the ransom is not paid.
  5. Why would a ransomware group target an open-source project?
    Reasons include the high symbolic value of the target, the potential to steal valuable source code, and the possibility of creating a future supply chain attack that could infect millions.
  6. What industries does Akira typically target?
    While they are opportunistic, Akira has frequently targeted manufacturing, finance, healthcare, and professional services sectors.
  7. How can organizations protect themselves from groups like Akira?
    Key defenses include enforcing strong MFA on all external services (especially VPNs), network segmentation, regular data backups, and a well-rehearsed incident response plan.
  8. What is the typical Akira attack chain?
    It usually begins with initial access through compromised credentials, followed by lateral movement within the network, data exfiltration, and finally, the encryption of files.trendmicro
  9. Has Apache OpenOffice confirmed the breach?
    As of November 1, 2025, the Apache Software Foundation has not publicly confirmed the claims made by the Akira group. This is common while internal investigations and potential negotiations are underway.
  10. Where can I monitor Akira ransomware activity?
    You can follow updates on dedicated ransomware tracking sites like Ransomware.live, as well as reports from major cybersecurity news outlets and threat intelligence firms.ransomware

SOURCES

  1. https://radar.offseq.com/threat/akira-ransomware-claims-it-stole-23gb-from-apache–0b215574
  2. https://cyberwarzone.com/2025/10/31/akira-ransomware-group-claims-23gb-data-exfiltration-from-apache-openoffice/
  3. https://www.dexpose.io/akira-ransomware-targets-apache-openoffice/
  4. https://cyberint.com/blog/research/akira-ransomware-what-soc-teams-need-to-know/
  5. https://www.trendmicro.com/vinfo/gb/security/news/ransomware-spotlight/ransomware-spotlight-akira
  6. https://blog.barracuda.com/2025/02/11/akira–modern-ransomware-with-a-retro-vibe
  7. https://www.ransomware.live
  8. https://www.hookphish.com/blog/ransomware-group-akira-hits-apache-openoffice/
  9. https://www.cm-alliance.com/cybersecurity-blog/sept-2025-biggest-cyber-attacks-ransomware-attacks-and-data-breaches
  10. https://hackread.com/akira-ransomware-stole-apache-openoffice-data/
  11. https://any.run/malware-trends/akira/
  12. https://industrialcyber.co/ransomware/qilin-ransomware-escalates-rapidly-in-2025-targeting-critical-sectors-with-700-attacks-amid-ransomhub-shutdown/
  13. https://www.breachsense.com/breaches/
  14. https://blog.barracuda.com/2025/09/25/soc-case-files-akira-ransomware-remote-management-tool
  15. https://arcticwolf.com/resources/blog/september-2025-update-ongoing-akira-ransomware-campaign/
  16. https://www.exabeam.com/explainers/information-security/top-ransomware-statistics-and-recent-ransomware-attacks-2025/
  17. https://www.ransomware.live/id/QXBhY2hlIE9wZW5PZmZpY2VAYWtpcmE=
  18. https://www.darktrace.com/blog/akira-ransomware-how-darktrace-foiled-another-novel-ransomware-attack
  19. https://westoahu.hawaii.edu/cyber/forensics-weekly-executive-summmaries/akira-ransomware-forensic-analysis/
  20. https://www.cyfirma.com/research/tracking-ransomware-june-2025/

About Ansari Alfaiz

View all posts by Ansari Alfaiz →