Free Akira Ransomware Decryptor Uses GPU Brute Force to Recover Linux Files

Security researcher Yohanes Nugroho has released a free decryptor for the Linux variant of the Akira ransomware. The decryptor leverages GPU processing power to brute-force the encryption key, allowing victims to recover their files without paying the ransom.

Nugroho's work provides a glimmer of hope for organizations hit by this specific Akira variant. The researcher shared the decryptor and detailed the recovery process on their personal blog, tinyhack.com.

The decryptor is available on GitHub, offering a practical solution for victims of this particular Akira ransomware strain.

The Akira Ransomware and Its Encryption Method

The Akira ransomware, like many others, encrypts files on compromised systems, demanding a ransom payment for the decryption key. This Linux variant targets ESXi servers. Nugroho encountered a recent version of the malware, active from late 2023 through early 2024.

The security researcher explained that this Akira variant uses a unique approach to key generation. It relies on four timestamps with nanosecond resolution as seeds for its encryption process. These timestamps are then fed into a complex algorithm involving 1,500 rounds of SHA-256 hashing for each timestamp, resulting in unique keys for each file.

The generated keys are saved at the end of each encrypted file, protected with RSA-4096 encryption and PKCS#11 padding. This makes decryption without the correct private key very difficult.

Brute-Forcing the Encryption Key

Nugroho's decryptor exploits the timestamp-based key generation to recover the keys. It works by generating potential keys based on timestamp ranges and comparing them to encrypted files.

Four timestamps used for generating keys (Source: tinyhack.com)

The researcher observed the following about the ransomware's key generation process:

The initial analysis suggested that the timestamp from the system logs could be used to significantly narrow down the brute-force range.

However, Nugroho faced challenges including:

To overcome these challenges, Nugroho turned to GPU-based brute-forcing and reverse engineering the malware.

GPU Acceleration and Decryption Process

Nugroho initially tested the brute-forcing method using CPUs, but the performance was too slow. GPUs offered a significant speed boost for the computationally intensive task of generating and testing potential encryption keys. The researcher was able to achieve 1.5 billion encryptions per second on an RTX 3090.

Source: tinyhack.com

The speed allowed for practical brute-forcing of timestamp ranges. Nugroho used cloud GPU services like Runpod and Vast.ai to rent multiple GPUs for faster processing.

The decryption process involves the following steps:

The researcher noted that the time offset between timestamps can vary. Measurements on the infected hardware revealed a normal range of 2-4 million nanoseconds, but the value can vary from 1.5 to 5 million.

Important Considerations

Nugroho emphasizes that their decryptor is not a simple, generic tool. It requires technical expertise, and system administration skills. It also involves multiple steps and a good understanding of the specific Akira variant.

Nugroho stated that the code shared is filled with experimental logic and quick hacks and lacks proper testing.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: