A new decryptor for the Linux version of Akira ransomware has been developed by a security researcher, leveraging GPU power to retrieve decryption keys and unlock files without cost.

This tool was created after the researcher was approached by a friend seeking assistance, with the initial expectation that the encryption could be solved in a week due to Akira's use of timestamps for key generation.

GPU-Powered Brute Force Decryption

Unlike traditional decryption tools that require a key input from users, this decryptor employs brute-force methods to crack encryption keys, which are unique to each file.

The Akira ransomware generates these keys using the current time as a seed, measured in nanoseconds, making the process challenging but feasible with the right computational power.

Understanding the Encryption Process

Encryption seeds play a crucial role in generating strong keys, and Akira uses four different timestamp seeds with nanosecond precision, hashed through 1,500 rounds of SHA-256.

These keys are then encrypted with RSA-4096 and appended to each file, making decryption without the private key difficult.

Challenges in Brute-Forcing Keys

The precision of timestamps results in billions of possible values per second, complicating brute-force attempts. Additionally, Akira's multi-threading capability on Linux encrypts multiple files simultaneously, adding further complexity.

By analyzing log files, the researcher was able to narrow down the possible timestamps, estimating encryption completion times and creating benchmarks on various hardware.

GPU Resources and Optimization

Initial attempts with an RTX 3060 were inadequate, achieving only 60 million encryption tests per second. Even an upgrade to an RTX 3090 did not significantly improve performance.

Ultimately, the researcher utilized cloud GPU services like RunPod and Vast.ai, employing sixteen RTX 4090 GPUs to successfully brute-force the decryption key in about 10 hours, though the process could take longer depending on the number of files.

The decryptor is available on GitHub, complete with instructions for recovering Akira-encrypted files. It is advised to back up original encrypted files to prevent potential data corruption from incorrect decryption keys.

For more insights into ransomware and decryption techniques, explore our Research section.

The link has been copied!