Decrypting Linux/ESXi Akira Ransomware Files Without Paying Ransomware

A cybersecurity researcher has successfully broken the encryption used by the Linux/ESXI variant of the Akira ransomware, enabling data recovery without paying the ransom demand. 

The breakthrough exploits a critical weakness in the ransomware’s encryption methodology. According to the researcher, the malware uses the current time in nanoseconds as a seed for its encryption process, making it theoretically vulnerable to brute-force attacks.

“From my initial analysis, I observed the ransomware uses the current time in nanoseconds as a seed,” according to the researcher, Yohanes Nugroho. 

“My initial thought was: ‘This should be easy just brute-force it by looking at the file timestamps.’ However, it turned out to be significantly more complex.”

The Akira variant identified by the hash bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a employs a sophisticated encryption scheme that utilizes four distinct timestamps, each with nanosecond resolution. 

This complexity initially made decryption seem unfeasible, but persistence and computational power ultimately prevailed.

The researcher has published the full source code and methodology on GitHub, providing a potential lifeline for organizations affected by this specific ransomware strain active since late 2023.

Reverse Engineered Ransomware Code

The researcher reverse-engineered the ransomware code and discovered it uses the Yarrow256 random number generator seeded with timestamp values. The core vulnerability lies in the generate_random() function:

The ransomware employs this function to generate keys for both KCipher2 and Chacha8 encryption algorithms. Each file is split into blocks with a percentage encrypted according to a parameter defined by the attackers:

GPU-Accelerated Brute-Force Solution

To break the encryption, the researcher developed a CUDA-optimized brute-force tool that leverages high-performance GPUs.

After extensive optimization, the system achieved approximately 1.5 billion encryption attempts per second on an RTX 3090 GPU, with RTX 4090s delivering even better performance at 2.3 times faster.

“Testing 2 million offsets would require approximately 16 days on a single GPU, or just 1 day using 16 GPUs,” the researcher noted. 

“With a 4090, the same process could be completed in around 7 days on a single GPU or just over 10 hours with 16 GPUs.”

Recovery Process Requirements

The decryption process requires specific inputs to be effective:

• Original file timestamps before encryption
• Known plaintext/ciphertext pairs from encrypted files
• Sufficient GPU computing power
• Shell.log files showing when the ransomware executed

The full source code and technical details are available on GitHub for organizations that may have fallen victim to this specific Akira variant.

As ransomware evolves, this work highlights the ongoing arms race between attackers and defenders. 

Each successful decryption without payment undermines the ransomware business model, potentially deterring future attacks. 

The public release of this methodology and source code ensures that affected organizations have an alternative to paying for ransomware. However, they should act quickly before ransomware operators inevitably patch this vulnerability in their encryption implementation.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.