Saturday, May 18, 2024

Decrypter Released for the Notorious Akira Ransomware

Akira ransomware appeared in 2017 when it encrypted video folders without leaving any ransom notes. The file encrypted by Akira ransomware has an extension of .akira.

Researchers have been working on decrypting the files affected by the ransomware and finally got a breakthrough.

Researchers at Avast have found a way to decrypt the files affected by the Akira ransomware. Avast has also released the 64-bit as well as 32-bit versions of the decryptor tool for users.

Technical Analysis of Akira Ransomware

The ransomware has affected education, finance, real estate, and many other organizations.

Akira ransomware is specifically built for Windows Platforms as it uses 64-bit Windows binary for encrypting the files. It is written in C++ and uses a lot of C++ libraries. 

Akira uses symmetric encryption, which has an encryption key generated by the CryptGenRandom() function by Windows CryptAPI, and uses ChaCha 2008 for encrypting the files on the affected systems. 

However, the ransomware has also affected Linux operating systems and uses the Crypto++ library as a replacement for Windows CryptAPI.

By default, the ransomware excludes certain folders and file extensions from encrypting, which includes,

Files

  • .exe
  • .dll
  • .lnk
  • .sys
  • .msi
  • Akira_readme.txt

Folders

  • winnt (default installation folder of Windows 2000)
  • temp
  • thumb
  • $Recycle.bin
  • $RECYCLE.BIN
  • System Volume Information
  • Boot
  • Windows
  • Trend Micro

Akira Ransomware Vs Conti Ransomware

There seem to be a lot of similarities between the Conti V2 Ransomware and the Akira ransomware. This can be due to the authors’ inspiration from the Conti.

The list of excluded files and folders, the structure of the file tail, the use of ChaCha 2008, and the use of CryptGenRandom and CryptEncrypt appears to be much similar to Conti Ransomware.

Avast is currently working on the decryptor tool for its Linux Version.

Just like any other ransomware, the ransom notes provide two tor websites: the payment site and the list of victims site (shows the list of Akira ransomware victims).

Decryptor Tool and How to Use It?

Avast has provided a complete report and instructions on how to use this tool. Users have to download the decryptor tool (32-bit or 64-bit) from the Avast website and run it as an administrator, which will fire up the Wizard for decryption.

Users must submit two identical files, one of which must be an original file and the other the same file affected by Akira ransomware with the extension (.akira).

The tool takes some time to get the password for decrypting the files. In the end, the tool also asks for backing up the decrypted files using the wizard.

The ransomware was using a symmetric RSA-4096 cipher encryption key that was appended at the end of the file while the public key was hardcoded inside the ransomware binary.

“AI-based email security measures Protect your business From Email Threats!” – .

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles