Cybercrime: the AKIRA group steps up its activities

Since April 2024, the OAG has been conducting criminal proceedings against persons unknown in response to several ransomware attacks on Swiss companies, which began in May 2023 and have continued to September 2025. The hacker group known as AKIRA has claimed responsibility for the attacks, which are still ongoing and have intensified in recent months. The authorities have observed an increase in the number of cases involving the same ransomware (four to five per week, a record for Switzerland), which proves that the group in question is highly active. Around two hundred companies in Switzerland have already fallen victim, with the damages currently exceeding several million Swiss francs, and amounting to several hundreds of million dollars worldwide.

The OAG has taken charge of several cantonal investigations opened into identical attacks. Its proceedings are currently being conducted against persons unknown in connection with data theft (Art. 143 Swiss Criminal Code (SCC)), damaging data (Art. 144bis SCC) and extortion (Art. 156 SCC), or alternatively attempted extortion (Arts 22 and 156 SCC). The investigation is being coordinated by the Federal Office of Police (fedpol), working closely with the National Cyber Security Centre (NCSC) and the authorities in several of the other countries affected.

The AKIRA group first appeared on the scene in March 2023, quickly becoming the subject of several articles in the specialised press. It uses software specifically developed for purpose, with its IT infrastructure spread across several countries around the world. It carries out what is commonly known as ‘double extortion’, which involves exfiltrating and then encrypting the victim’s data. Once the data have been encrypted, the victim company can only observe as its IT network is totally or partially disabled, making its activities potentially impossible. If the ransom is not paid within the set deadline, AKIRA not only refuses to provide the decryption key that allows the victim to access its data again, but also publishes the data in a blog hosted on the Darknet. This blog is known as a DLS or ‘data leak site’. The ransom is paid in cryptocurrency, in most cases Bitcoin.

Do not pay the ransom – contact the authorities

Based on the information gathered so far in the course of the investigation, the authorities assume that a certain number of cases have not been reported. This is because the victims, fearing damage to their reputation, pay the ransoms demanded and/or decide against filing a criminal complaint. The OAG, fedpol and the NCSC stress that filing a complaint helps to increase the potential lines of enquiry, thereby increasing the chances of success in combating these criminal groups. The authorities advise not to pay the ransom, as this helps to fund the perpetrators’ activities. They therefore recommend that the companies concerned consult the authorities before taking any action in response to a ransom demand.

Specific measures

Although these ransomware attacks are normally complex, most of them can be prevented. Most often, the gateway for these ransomware attacks are outdated systems and means of remote access such as VPN (Virtual Private Network) and RDP (Remote Desktop Protocol) that are not secured by two-factor authentication (2FA). In the event of an attack, all internet connections (web, email, remote access and site-to-site VPN) must first be deactivated. Backups must be verified and secured immediately. The systems must also be physically disconnected from the infected network as soon as possible. The main aim in resolving the attack is to identify the method of infection and prevent a further infection. The authorities recommend that victims file a criminal complaint in every case.

For further information, see: Ransomware – what next?

Original text of the press release in French.