Ransomware Group: AKIRA

VICTIM NAME: Orion Engineering

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the AKIRA Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 6, 2025, a leak page attributed to the threat actor group akira references Orion Engineering, a manufacturing company, as a victim. The page states that attackers have compromised Orion Engineering and plan to upload 32 GB of data soon. It lists internal confidential information that is alleged to have been exfiltrated, including client personal data (Social Security numbers, addresses, and email addresses), employee records (including W-9 forms), financial and accounting files, contracts and agreements, and clients’ engineering specifications, drawings, and related project data. The page frames this as a data-leak event rather than a full encryption of the organization’s systems. A claim URL is indicated on the page, but no ransom amount is disclosed. The leak entry shows no screenshots or other media; there are no images reported on the page.

Because the available data provide only the post date, October 6, 2025, this should be treated as the publication date of the leak rather than a confirmed breach date. The description points to a potential risk to Orion Engineering’s clients and employees should the data be released or publicly exposed, consistent with ransomware extortion patterns that threaten data publication. No explicit ransom figure or encryption claim is presented in the text, suggesting this is an early-stage data-exfiltration notification rather than a completed encryption incident. The entry is attributed to the akira group, which provides some attribution context, but the overall breach status beyond the post remains unverified based on the leak page alone.