A team successfully decrypted an instance of the Akira ransomware on Linux/ESXi systems without succumbing to the hackers’ demands.
This achievement not only underscores the ingenuity of cybersecurity experts but also serves as a powerful message to those who rely on extorting from vulnerable businesses and individuals.
The Akira ransomware, known for its complex encryption mechanisms, has evolved over time, with newer variants posing significant challenges to cybersecurity professionals.
The variant discussed here, active since late 2023, required innovative approaches to bypass its encryption.
Akira ransomware has been a notable threat, with multiple versions surfacing over the years.
An earlier version, which contained a bug allowing Avast to develop a decryptor tool, was effectively patched by the attackers once exposed. This pattern suggests that the malware continues to evolve in response to security efforts, as per a report by Security Researchers.
To combat the latest iteration, researchers focused on understanding its encryption process. The ransomware uses nanosecond-resolution timestamps to seed its Yarrow256 algorithm, generating unique encryption keys for each file.
This process involves multiple rounds of SHA-256 hashing, making brute-force attacks seem daunting.
The encryption process can be outlined as follows:
void generate_random(char *buffer, int size) {
uint64_t t = get_current_time_nanosecond();
char seed[32];
snprintf(seed, sizeof(seed), "%lld", t);
struct yarrow256_ctx ctx;
yarrow256_init(&ctx, 0, NULL);
yarrow256_seed(&ctx, strlen(seed), seed);
yarrow256_random(&ctx, size, buffer);
}
To perform brute-force attacks efficiently, plaintext samples are necessary. For VMware files, the following strategies were employed:
While brute-forcing seemed unfeasible at first, optimizations made it more practical.
Initial estimates suggested a processing time of about 100,000 timestamp-to-random bytes conversions per second on a single CPU. This was significantly improved using GPUs, reducing conversion times from hours to minutes.
To further refine the search, log files from ESXi hosts were used to estimate when the encryption occurred. Although these logs may only offer second-level precision, they help narrow down the search space.
To optimize brute-forcing, the following steps were taken:
The full source code for the brute-force tool used in this recovery effort is available on GitHub, providing a comprehensive framework for those facing similar challenges:
https://github.com/yohanes/akira-bruteforce
This achievement serves as a beacon of hope for organizations hit by ransomware. By understanding and exploiting vulnerabilities in the encryption process, cybersecurity experts can develop effective countermeasures, often without needing to engage with hackers.
However, it’s crucial to note that with each success, these threats evolve, emphasizing the ongoing need for vigilance and innovation in digital security.
The approach outlined here applies to specific versions of Akira ransomware. As malware evolves, new methods may be needed to address updated encryption techniques.
By leveraging technological advancements and collaborative efforts, the fight against ransomware continues to gain momentum. In the battle against cyber threats, resilience and innovation will remain paramount.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Leading cryptocurrency exchange Kraken has disclosed that it recently thwarted an infiltration attempt by a…
Security researchers have uncovered a series of critical vulnerabilities in the Tenda RX2 Pro Dual-Band…
Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site scripting…
A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed a…
Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain," which…
A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically simplifying…