FOCUS MODE
EXTRACT IOC
Threat Research

Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs – Tinyhack.com

admin
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs – Tinyhack.com
This article provides a practical guide on recovering data from the Akira ransomware variant without paying the ransom, detailing the technical approach, source code, and encryption methods used by the ransomware. The author shares their personal experience and insights into the brute-forcing method that made the data recovery possible. Affected: Akira ransomware victims, companies dealing with ransomware attacks

Keypoints :

  • The author helped a company recover data from a variant of Akira ransomware without paying the ransom.
  • The article discusses various methods for decrypting files and includes links to source code.
  • A previous version of Akira had vulnerabilities, which were patched by attackers.
  • Recovery involved analyzing file timestamps and brute-forcing encryption keys.
  • The malware employs complex key generation using multiple timestamps and threads.
  • Various VMware file types are specified for successful decryption.
  • A cost-effective approach to renting GPUs for processing and decryption is detailed.
  • Challenges such as multithreading and non-nanosecond timestamp precision are discussed.
  • The final recovery steps involve obtaining timestamps, ciphertexts, and configuring brute-force processes.

MITRE Techniques :

  • Technique: Brute Force (T1110) – The malware uses timestamps to generate unique keys for encryption, making brute-forcing based on these timestamps feasible.
  • Technique: Key Generation (T1055.001) – Keys are generated based on multiple timestamps and are unique per file.
  • Technique: Data Encrypted for Impact (T1486) – The malware encrypts files to demand ransom payment, affecting accessibility.
  • Technique: Multi-threading (T1590) – The malware executes in multiple threads to encrypt files quickly and simultaneously.
  • Technique: Input Data Manipulation (T1522) – The malware relies on precise timestamps for successful key generation and file encryption.

Indicator of Compromise :

  • [Hash] bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
  • [URL] https://github.com/rivitna/Malware/blob/main/Akira/Akira_samples.txt

Full Story: https://tinyhack.com/2025/03/13/decrypting-encrypted-files-from-akira-ransomware-linux-esxi-variant-2024-using-a-bunch-of-gpus/#more-1090

Tags: PATCH, IMPACT, VIRUS, WINDOWS, CLOUD, LINUX