
A new decryptor for Akira ransomware has been developed that harnesses GPUs to recover decryption keys and enable free file unlocking. Created by the Thailand-based security researcher Yohanes Nugroho, the decryptor is designed to blunt the impact of Akira ransomware targeting Linux systems, following a request from a friend to help release their systems from the grip of online extortionists. Nugroho estimated that this could be accomplished within a week using decryption methods that subverted Akira’s timestamp-based encryption key creation process. However, unforeseen complexities stretched the process over three weeks and cost $1,200 in GPU resources before the researcher’s theory was proven.
Ransomware decryptors are designed to inspect encrypted files, identify the corresponding decryption key and decrypt the affected data using the ransomware family’s algorithm. Such tools offer victims a means to reverse the damage inflicted by ransomware attacks without capitulating to cyber attackers’ demands. These decryptors are often the only viable solution for effectively restoring access and retrieving files following an attack.
Unlike traditional decryption tools requiring a user-supplied key, Nugroho’s newly developed decryptor brute-forces encryption keys by taking advantage of Akira’s use of current time-based seeds measured in nanoseconds. An encryption seed is vital in cryptographic functions as it helps produce strong keys. Akira ransomware creates unique encryption keys for each file using four different timestamp seeds with nanosecond precision, processed through 1,500 SHA-256 rounds. These encryption keys are then secured with RSA-4096 encryption and appended to each encrypted file, making decryption without a private key challenging.
Challenges in precision timing and multi-threading
The precise timing in the timestamps allows billions of potential values per second, complicating brute-force attempts. Additionally, on Linux systems, Akira encrypts multiple files concurrently using multi-threading, adding difficulty in identifying the correct timestamp utilized during encryption. Nugroho reduced possible timestamps for brute-forcing by analysing log files shared by his friend, examining execution times of the ransomware and file metadata, and creating hardware benchmarks for predictable profiles.
Initial tests using an RTX 3060 GPU were insufficient at 60 million encryption tests per second. Even an upgrade to an RTX 3090 failed to significantly improve performance. Eventually, Nugroho employed cloud GPU services from RunPod & Vast.ai, utilising 16 RTX 4090 GPUs to brute-force the decryption key within roughly 10 hours. The time needed for recovery may vary depending on the number of encrypted files involved.
Nugroho’s write-up mentions that his code could benefit from further optimisation by GPU experts. The decryptor is available on GitHub along with instructions for recovering files encrypted by Akira.
His approach shares similarities with previous decryptors targeting ransomware threats by leveraging brute-force tactics against encryption methods reliant on predictable patterns or weaknesses within the algorithm’s implementation. Similar strategies have been applied historically in tackling ransomware that employs timestamp-based key generation or weak cryptographic practices where timing or computational limitations can be exploited effectively to reverse-engineer or brute-force decryption keys.