Security researcher Yohanes Nugroho has developed a decryptor for the Linux variant of Akira ransomware. The tool leverages GPU power to retrieve decryption keys, allowing victims to unlock their encrypted files for free.
Development of Akira Decryptor
Nugroho began working on the decryptor after being approached by a friend who had fallen victim to Akira ransomware. Initially estimating that the system could be solved within a week, he found that the ransomware generated encryption keys using timestamps, making it potentially crackable.
However, the project took three weeks due to unexpected complexities, and he spent $1,200 on GPU resources to successfully crack the encryption key.
Using GPUs to Brute Force Encryption Keys
Unlike traditional decryption tools where users input a key to unlock their files, Nugroho’s decryptor brute-forces encryption keys by taking advantage of how Akira ransomware generates its keys based on the system time in nanoseconds.
Akira ransomware dynamically creates unique encryption keys for each file using four different timestamp-based seeds hashed through 1,500 rounds of SHA-256. These keys are then encrypted with RSA-4096 and appended to the encrypted files.
Challenges in Brute-Forcing the Keys
Since timestamps are precise to nanoseconds, there are over a billion possible values per second, making it extremely difficult to brute force encryption keys.
Also, Akira ransomware on Linux uses multi-threading to encrypt multiple files at the same time, making it harder to determine the exact timestamps used for encryption.
Nugroho analyzed log files and metadata from the infected system to estimate when encryption occurred. Early attempts using an RTX 3060 were too slow, reaching only 60 million encryption tests per second. Upgrading to an RTX 3090 offered little improvement.
He eventually turned to RunPod and Vast.ai cloud GPU services, utilizing sixteen RTX 4090 GPUs to brute-force the decryption key within 10 hours. However, depending on the number of encrypted files, the process could take a couple of days.
Decryptor Now Available on GitHub
The decryptor is now publicly available on GitHub, with instructions on how to recover Akira-encrypted files.
Keep in mind that before attempting decryption, you should make a backup of your encrypted files, as there is a risk of corruption if the wrong decryption key is used.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: