Inside an Akira Ransomware Attack: 60 Servers, Destroyed Backups, & 85% Negotiated Reduction
How Akira ransomware entered through a poisoned search result, and what stopped a $10M ransom demand
Company Industry: Media
Threat Actor: Akira
Attack Type: Search Engine Optimization (SEO) Poisoning → ransomware
Ransom Demanded: $10M
Ransom Settled: $1.5M (85% reduction)
Time to Containment: ~2 hours
Before the Breach
This media company relied on a managed service provider (MSP) to handle patching, backups, and day-to-day IT operations. On paper, their security posture met standard baseline MSP requirements.
What was missing: no dedicated threat detection, no identity-layer monitoring, and no visibility into how trusted tools were being used once inside the network. The MSP’s scope covered IT management, but not security operations.
What Happened
The client’s MSP installed what appeared to be a legitimate AI software tool — sourced from a malicious Google search result. Attackers had trojanized it using SEO poisoning to make the result appear trustworthy, and Akira ransomware was inside the network before anyone knew to look. Over 60 servers were locked. Backups were destroyed. A $10M ransom demand was on the table.
How At-Bay Responded
- Detection: The MSP noticed unusual activity: odd MFA requests and unexpected email behavior. The full picture became clear when the client arrived at the office and found systems inaccessible. A review confirmed encryption and ransom notes throughout the environment.
- Forensics & Investigation: At-Bay reviewed the client’s antivirus and EDR platform, assessed backup integrity, and analyzed available logging data — limited as it was — to reconstruct the attack chain.
- Containment: The entire network was isolated from the internet and all connected sites within approximately 2 hours. The client had already begun shutting down systems before At-Bay was engaged.
- Negotiation: At-Bay extended negotiations deliberately, giving the client time to evaluate options without pressure to pay. After a prolonged process, the threat actor accepted a significantly reduced settlement. The persistence of the negotiation ultimately led them to disengage from their original demand.
- Recovery: The server footprint was reduced from 60+ down to only necessary hosts. Rebuilt infrastructure used brand new hardware alongside externally recovered backups. Decryption was applied using the threat actor’s provided tool. Full operational recovery took approximately 2 months.
At-Bay Response & Recovery stepped in to run forensics, lead threat actor negotiations, and take the incident from breach to resolution. Infrastructure was rebuilt. Decryption was led end-to-end. The client was back online.
Stop Ransomware with MDR
An MSP may manage your environment, but 24/7 threat detection isn’t always part of the service. SEO poisoning and ransomware attacks exploit that gap, moving through trusted tools and routine processes that standard IT management won’t flag.
At-Bay Stance Managed Detection & Response (MDR) protects your organization against modern threats like ransomware, financial fraud, phishing, and identity-based attacks with comprehensive endpoint, cloud, email, and identity security solutions. At-Bay’s MDR experts help businesses stay secure and reduce cyber risk at a fraction of the cost of hiring an in-house team, delivering enterprise-grade protection at an accessible price point.
*Response timelines differ. Past results do not guarantee future outcomes. This content is provided for information purposes only and is not intended to define any Policy commitment. No warranty is given or liability accepted regarding this information.
At-Bay Stance MDR is provided by At-Bay Security, LLC (“At-Bay Security”), and available to eligible businesses with or without an insurance policy placed through At-Bay Insurance Services, LLC. At-Bay Security, LLC is a wholly owned subsidiary of At-Bay, Inc., providing cybersecurity services including MDR and incident response. At-Bay Security, LLC does not provide insurance services.