One of the most powerful ransomware hacks around has been cracked using some serious GPU power

• A researcher analyzed how Akira operates on Linux and came with a brute-force decryption tool
• It took $1,200 and three weeks to decrypt a system
• The tool is available on GitHub now

A security researcher has managed to break Akira’s ransomware encryptor for Linux, with the help of cloud-based compute power.

Security researcher Yohanes Nugroho was recently asked for help by a friend who was struck with Akira. After analyzing the log files, they determined that Akira generates encryption keys using timestamps in nanoseconds.

Nugroho's method is a little costly to retrieve all of the encrypted files, but it should still be cheaper than paying the ransom demand.

Cloud computing to the rescue

An encryption seed is a starting value used to generate encryption keys that lock a victim’s files. It plays a crucial role in the encryption process, often determining how the encryption key is derived. In Akira’s case, the encryptor dynamically generates unique encryption keys for each file, using four timestamp seeds. The keys are then encrypted with RSA-4096 and appended at the end of each encrypted file.

Furthermore, Akira encrypts more files at once through multi-threading.

However, by looking at the logs, the researcher was able to determine when the ransomware ran, and through metadata, he determined the encryption completion time. He was then able to create a brute-force tool that can discover the key for each individual file. Running the tool on-prem was deemed inefficient, since both RTX 3060 and RTC 3090 took too long.

The researcher then opted for RunPod & Vast.ai cloud GPU services, which provided enough computing power at the right price to make the process viable. He used 16 RTX 4090 GPUs to brute-force the decryption key in roughly 10 hours. Depending on the number of locked files, the entire process can take less, or more time.

In total, the project took three weeks, and $1,200, but the system was saved, BleepingComputer reports. The decryptor is available on GitHub, and the researcher added that the code can probably be optimized to run even better. It is worth noting that before running any such experiment, victims should first create backups of their files, in case anything goes awry.

Via BleepingComputer

You might also like

• There's now a Linux version of this dangerous VMware ransomware
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app