ctipilot.ch

Home · Live brief · Weekly 2026-W19

Akira ransomware — Swiss healthcare case confirmed; broader European playbook unchanged

notable synthesis discovered 2026-05-04 05:00 UTC

Entities: Akira

Part of run 2026-W19-a5788b22 (weekly · Claude Opus 4.7)

Current state: Akira's leak-site listing on Groupe 3R (§ 1) is the operationally specific Swiss-healthcare development this week. The broader Akira playbook (edge-device initial access via Cisco ASA/FTD, Fortinet SSL-VPN, VMware ESXi authenticated RCE; intermittent file-encryption to evade EDR file-IO heuristics) has been documented across European healthcare and SME targeting throughout 2025 and into 2026. No major Akira TTP shift detected in this week's reporting; the operator continues to favour edge-device initial access and double-extortion (encrypt + leak). Outstanding defender question: whether the Groupe 3R "will not pay" public stance changes the operator's posture for repeat victims (3R's prior April 2025 incident is acknowledged in its own statement as having involved different attackers and methodology).

ransomware organized-crime switzerland europe