Friday, April 4, 2025
HomeCyber Security NewsDecrypter Released for the Notorious Akira Ransomware

Decrypter Released for the Notorious Akira Ransomware

Published on

SIEM as a Service

Follow Us on Google News

Akira ransomware appeared in 2017 when it encrypted video folders without leaving any ransom notes. The file encrypted by Akira ransomware has an extension of .akira.

Researchers have been working on decrypting the files affected by the ransomware and finally got a breakthrough.

Researchers at Avast have found a way to decrypt the files affected by the Akira ransomware. Avast has also released the 64-bit as well as 32-bit versions of the decryptor tool for users.

Technical Analysis of Akira Ransomware

The ransomware has affected education, finance, real estate, and many other organizations.

Akira ransomware is specifically built for Windows Platforms as it uses 64-bit Windows binary for encrypting the files. It is written in C++ and uses a lot of C++ libraries. 

Akira uses symmetric encryption, which has an encryption key generated by the CryptGenRandom() function by Windows CryptAPI, and uses ChaCha 2008 for encrypting the files on the affected systems. 

However, the ransomware has also affected Linux operating systems and uses the Crypto++ library as a replacement for Windows CryptAPI.

By default, the ransomware excludes certain folders and file extensions from encrypting, which includes,

Files

  • .exe
  • .dll
  • .lnk
  • .sys
  • .msi
  • Akira_readme.txt

Folders

  • winnt (default installation folder of Windows 2000)
  • temp
  • thumb
  • $Recycle.bin
  • $RECYCLE.BIN
  • System Volume Information
  • Boot
  • Windows
  • Trend Micro

Akira Ransomware Vs Conti Ransomware

There seem to be a lot of similarities between the Conti V2 Ransomware and the Akira ransomware. This can be due to the authors’ inspiration from the Conti.

The list of excluded files and folders, the structure of the file tail, the use of ChaCha 2008, and the use of CryptGenRandom and CryptEncrypt appears to be much similar to Conti Ransomware.

Avast is currently working on the decryptor tool for its Linux Version.

Just like any other ransomware, the ransom notes provide two tor websites: the payment site and the list of victims site (shows the list of Akira ransomware victims).

Decryptor Tool and How to Use It?

Avast has provided a complete report and instructions on how to use this tool. Users have to download the decryptor tool (32-bit or 64-bit) from the Avast website and run it as an administrator, which will fire up the Wizard for decryption.

Users must submit two identical files, one of which must be an original file and the other the same file affected by Akira ransomware with the extension (.akira).

The tool takes some time to get the password for decrypting the files. In the end, the tool also asks for backing up the decrypted files using the wizard.

The ransomware was using a symmetric RSA-4096 cipher encryption key that was appended at the end of the file while the public key was hardcoded inside the ransomware binary.

“AI-based email security measures Protect your business From Email Threats!” – .

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces...

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series...

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券),...

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series...

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive...