Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

Two healthcare incidents define the sector picture this week, both with European public-sector concentration. Groupe 3R (Switzerland) — Akira leak-site listing on a Romandie medical-imaging operator running 20 centres across seven cantons; the operator confirmed publicly on 2026-04-30, will not pay ransom, and is operating with legacy examination data still inaccessible at week-end (Groupe 3R victim statement · daily 2026-05-10). ChipSoft (Netherlands) — The 7 April 2026 attack on the Dutch healthcare software vendor — whose HiX platform serves roughly 70% of Dutch hospitals — was first reported with attacker identity unknown (The Record, 2026-04-09); the Embargo ransomware group's claim of responsibility, alongside the 66 Dutch DPA notifications, was reported in the subsequent NL Times follow-up. On 28–29 April ChipSoft stated the exfiltrated data had been destroyed in language Dutch security experts noted strongly implies a ransom was paid (ChipSoft did not confirm) (NL Times, 2026-04-29 · daily 2026-05-07). Both incidents reinforce the same cross-finding pattern: ransomware operators' claims of data destruction are inherently unverifiable; GDPR breach-notification obligations and long-term breach-response posture do not expire when an attacker says they deleted the copy.

M-Trends 2026 (published 2026-03-23, first covered 2026-05-07) reinforces three cross-cutting trends visible in this week's incidents: voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%) driven by IT help-desk impersonation and SaaS OAuth token theft — directly evidenced this week in the ADT vishing → Okta SSO → Salesforce pivot and in MuddyWater's Teams external-access helpdesk pretext (§ 7); ransomware initial access via prior compromise doubled to 30% — implicit in the access-broker / ransomware-affiliate model behind Akira, Embargo, and Qilin's targeting of European victims; and edge-device persistence on VPNs, routers, and network appliances without EDR coverage remains the dominant initial-access technique for state-sponsored espionage — directly mirrored in CL-STA-1132's PAN-OS exploitation and in Ivanti EPMM's named EU victims. The reframe IOCTA does not give but M-Trends does: median dwell time globally has increased to 14 days (up from 11 in 2024) and espionage-focused intrusions average 122-day median dwell — i.e. when the Ivanti EPMM and PAN-OS post-compromise hunting horizons land on retrospective log review back to March/April, that horizon is consistent with Mandiant's observed espionage dwell envelope. (Google Cloud / Mandiant M-Trends 2026, 2026-03-23; daily 2026-05-07).

Current state: Akira's leak-site listing on Groupe 3R (§ 1) is the operationally specific Swiss-healthcare development this week. The broader Akira playbook (edge-device initial access via Cisco ASA/FTD, Fortinet SSL-VPN, VMware ESXi authenticated RCE; intermittent file-encryption to evade EDR file-IO heuristics) has been documented across European healthcare and SME targeting throughout 2025 and into 2026. No major Akira TTP shift detected in this week's reporting; the operator continues to favour edge-device initial access and double-extortion (encrypt + leak). Outstanding defender question: whether the Groupe 3R "will not pay" public stance changes the operator's posture for repeat victims (3R's prior April 2025 incident is acknowledged in its own statement as having involved different attackers and methodology).

W1 horizon research added Q1 2026 healthcare quarterly context to the Groupe 3R item in § 1. Across Q1 2026, Akira posted 84 victims in March alone (second-most-active month on record) and claimed 5 healthcare victims; Qilin led healthcare at 23 claims (with RENAFAN GmbH and Suchthilfe direkt Essen gGmbH as Qilin's confirmed German victims), and The Gentlemen at 10 healthcare claims (Comparitech Q1 2026 Healthcare, 2026-04-29 · CyberMaxx Q1 2026). Akira's documented attack chain for healthcare: initial access via unpatched VPN (Cisco ASA, SonicWall, Fortinet) or compromised RDP credentials; lateral movement via T1021.001 Remote Services: Remote Desktop Protocol and T1047 Windows Management Instrumentation; LSASS credential harvesting via comsvcs.dll / Mimikatz; AV termination via PowerTool weaponising the Zemana AntiMalware driver (BYOVD); data exfiltration; double extortion. The cross-finding for Swiss / DACH operators reading after Groupe 3R: at least two ransomware-as-a-service operators (Akira and Qilin) are hitting European healthcare in Q1–Q2 2026 via the edge-device / unpatched-VPN attack surface, and the operator that hits a given hospital is less salient defensively than the shared initial-access funnel they exploit.

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

Swiss and DACH healthcare operators (and any organisation operating PACS/RIS or radiology-modality networks) should re-validate patch state on Cisco ASA / FTD, Fortinet SSL-VPN, and VMware ESXi management interfaces, and confirm radiology-modality VLAN segmentation from corporate Active Directory. Confirm EDR rules trigger on intermittent file-encryption file-IO patterns. Review business-continuity contracts for ransomware-targeted single-supplier dependencies (the second 3R outage in twelve months will already have referrer-side continuity questions).