Greenwoods Dental Ransomware Claim by Akira (May 2026)

Claim Summary

On May 8, 2026, the Akira ransomware group posted a claim on its dark web leak site alleging a successful attack against Greenwoods Dental Centre, a dental and surgical practice based in Winnipeg, Canada (GB-registered). The threat actor claims to have exfiltrated approximately 90GB of corporate data, including detailed employee personal information (passports, driver’s licenses), financial records, patient data, payment details, and non-disclosure agreements. As of this writing, no data samples have been publicly released, and the group has not provided a specific ransom demand timeline. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Akira is a ransomware-as-a-service (RaaS) group first observed in mid-2023, known for targeting small-to-medium enterprises and healthcare organizations. The group typically employs double extortion tactics: encrypting systems and exfiltrating data before threatening public release. Their known toolset includes:

• Credential theft: DonPAPI, LaZagne, Mimikatz
• Privilege escalation: PowerTool, ThrottleStop driver, Zemana Anti-Rootkit driver
• Network reconnaissance: Advanced IP Scanner, Advanced Port Scanner

Akira has historically demonstrated moderate credibility, with a track record of following through on threats to leak data when ransoms are unpaid. However, the group has also been observed exaggerating data volumes and victim counts to pressure targets. Their claimed 90GB exfiltration from Greenwoods Dental is plausible given the healthcare sector’s sensitivity, but the lack of published samples reduces immediate credibility.

Alleged Data Exposure

According to the leak site post, the compromised data allegedly includes:

• Employee PII: Passports, driver’s licenses, and other personal identification documents
• Financial records: Corporate financials, payment details, and transactional data
• Patient information: Medical records, treatment histories, and personal health information (PHI)
• Legal documents: NDAs and other contractual agreements

The threat actor stated they will “upload 90gb of corporate data soon,” suggesting the data has not yet been publicly released. This delay could indicate ongoing negotiations or verification of the data’s authenticity. If confirmed, the exposure of PHI would trigger mandatory breach notifications under Canadian privacy laws (PIPEDA) and potentially the UK’s GDPR if GB-registered entities are involved.

Potential Impact

If the claim is verified, Greenwoods Dental Centre faces several critical risks:

• Regulatory penalties: Non-compliance with PIPEDA or GDPR could result in fines up to 4% of annual global turnover.
• Reputational damage: Patient trust could erode, leading to loss of clientele and negative media coverage.
• Operational disruption: Ransomware encryption may have disrupted clinical operations, appointment scheduling, and billing systems.
• Legal liability: Affected patients and employees may pursue class-action lawsuits for mishandling of sensitive data.
• Financial loss: Ransom payment demands, forensic investigation costs, and system restoration expenses.

The healthcare sector is a high-value target due to the sensitivity of patient data and the critical nature of operations, making organizations like Greenwoods Dental particularly vulnerable to extortion.

What to Watch For

• Data publication: Monitor for any public release of the alleged 90GB dataset on Akira’s leak site or other dark web forums.
• Ransom demand: Watch for any communication from Akira to Greenwoods Dental or third-party negotiators.
• Employee and patient outreach: If confirmed, affected individuals may receive phishing attempts or identity theft threats.
• YARA rules: No public YARA rules exist for Akira at this time. Detection guidance is limited to monitoring for the group’s known tools (e.g., DonPAPI, LaZagne) and network scanning activity.
• Third-party verification: Check for any statements from Greenwoods Dental Centre or Canadian privacy authorities regarding a breach.

Disclaimer

This report is based on unverified claims published by the Akira ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the breach, data exfiltration, or any ransom demand. Ransomware groups routinely exaggerate or fabricate claims to pressure victims. Organizations should treat this information as intelligence for monitoring purposes only and not as confirmed fact. For official updates, refer to Greenwoods Dental Centre or relevant regulatory bodies.