Réseau Radiologique Romand Hit by Akira (May 2026)

Claim Summary

On May 8, 2026, the Akira ransomware group posted a claim on its dark web leak site alleging the compromise of Réseau Radiologique Romand (3R), a Swiss medical imaging network. The threat actor claims to have exfiltrated 48GB of data from the organization, including sensitive patient medical information, employee personal identification documents, payment details, and corporate agreements. The group states it will upload the stolen data imminently, though no samples or download links have been provided at the time of writing. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Akira is a ransomware-as-a-service (RaaS) group first observed in early 2023, known for targeting healthcare, education, and manufacturing sectors globally. The group typically employs double extortion tactics - encrypting systems and exfiltrating data to pressure victims into paying ransoms. Akira’s known toolset includes credential harvesting utilities (DonPAPI, LaZagne, Mimikatz), privilege escalation tools (PowerTool), driver-based evasion (ThrottleStop driver, Zemana Anti-Rootkit driver), and network reconnaissance tools (Advanced IP Scanner, Advanced Port Scanner). The group has demonstrated operational security by using custom encryptors and maintaining a leak site for non-paying victims. While Akira’s total victim count is not publicly documented, their consistent targeting of critical infrastructure suggests a moderate-to-high credibility level, though their claims should be treated with caution due to the lack of independent verification.

Alleged Data Exposure

According to the leak site post, the stolen data includes:

• Employee personal information: passport copies, driver’s licenses, national IDs, and other personal identification documents
• Patient information: phone numbers, addresses, and medical data
• Payment details: financial transaction records
• Corporate documents: non-disclosure agreements (NDAs) and other business agreements

The group claims the total data volume is 48GB, which is relatively modest compared to other healthcare breaches. However, the sensitivity of the alleged data types - particularly medical information and identification documents - raises significant privacy concerns under Swiss and EU data protection regulations.

Potential Impact

If verified, this incident could have severe consequences for Réseau Radiologique Romand:

• Regulatory penalties: Potential fines under Switzerland’s Federal Act on Data Protection (FADP) and GDPR for EU-connected patients
• Patient trust erosion: Exposure of medical imaging data could undermine confidence in the network’s security
• Identity theft risks: Employee and patient PII could be used for fraud or social engineering attacks
• Operational disruption: The group may have encrypted systems, potentially delaying medical imaging services
• Legal liability: NDAs and payment details exposure could lead to contractual disputes and financial losses

What to Watch For

• Monitor Akira’s leak site for any data publication - the group claims imminent upload
• Watch for phishing campaigns targeting 3R employees and patients using the exposed PII
• Check for signs of credential stuffing or account takeover attempts on 3R’s patient portals
• Review network logs for indicators of compromise (IOCs) associated with Akira’s known tools (e.g., Advanced IP Scanner, Mimikatz)
• No public YARA rules are currently available for Akira, but organizations should monitor for the group’s specific tool signatures

Disclaimer

This report is based solely on unverified claims made by the Akira ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the breach, data exfiltration, or any operational impact on Réseau Radiologique Romand. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. All information should be treated as preliminary and subject to verification. No data samples, download links, or access credentials are provided in this report. Organizations should consult official sources and conduct their own investigations before taking action.