A team successfully decrypted an instance of the Akira ransomware on Linux/ESXi systems without succumbing to the hackers’ demands.
This achievement not only underscores the ingenuity of cybersecurity experts but also serves as a powerful message to those who rely on extorting from vulnerable businesses and individuals.
The Akira ransomware, known for its complex encryption mechanisms, has evolved over time, with newer variants posing significant challenges to cybersecurity professionals.
The variant discussed here, active since late 2023, required innovative approaches to bypass its encryption.
Akira ransomware has been a notable threat, with multiple versions surfacing over the years.
An earlier version, which contained a bug allowing Avast to develop a decryptor tool, was effectively patched by the attackers once exposed. This pattern suggests that the malware continues to evolve in response to security efforts, as per a report by Security Researchers.
To combat the latest iteration, researchers focused on understanding its encryption process. The ransomware uses nanosecond-resolution timestamps to seed its Yarrow256 algorithm, generating unique encryption keys for each file.
This process involves multiple rounds of SHA-256 hashing, making brute-force attacks seem daunting.
The encryption process can be outlined as follows:
void generate_random(char *buffer, int size) {
uint64_t t = get_current_time_nanosecond();
char seed[32];
snprintf(seed, sizeof(seed), "%lld", t);
struct yarrow256_ctx ctx;
yarrow256_init(&ctx, 0, NULL);
yarrow256_seed(&ctx, strlen(seed), seed);
yarrow256_random(&ctx, size, buffer);
}
To perform brute-force attacks efficiently, plaintext samples are necessary. For VMware files, the following strategies were employed:
While brute-forcing seemed unfeasible at first, optimizations made it more practical.
Initial estimates suggested a processing time of about 100,000 timestamp-to-random bytes conversions per second on a single CPU. This was significantly improved using GPUs, reducing conversion times from hours to minutes.
To further refine the search, log files from ESXi hosts were used to estimate when the encryption occurred. Although these logs may only offer second-level precision, they help narrow down the search space.
To optimize brute-forcing, the following steps were taken:
The full source code for the brute-force tool used in this recovery effort is available on GitHub, providing a comprehensive framework for those facing similar challenges:
https://github.com/yohanes/akira-bruteforce
This achievement serves as a beacon of hope for organizations hit by ransomware. By understanding and exploiting vulnerabilities in the encryption process, cybersecurity experts can develop effective countermeasures, often without needing to engage with hackers.
However, it’s crucial to note that with each success, these threats evolve, emphasizing the ongoing need for vigilance and innovation in digital security.
The approach outlined here applies to specific versions of Akira ransomware. As malware evolves, new methods may be needed to address updated encryption techniques.
By leveraging technological advancements and collaborative efforts, the fight against ransomware continues to gain momentum. In the battle against cyber threats, resilience and innovation will remain paramount.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light on…
Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure (OCI)…
A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used enterprise…
Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994, in…
The Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 has exposed an intricate…
A sophisticated social engineering campaign that leverages the viral power of TikTok to distribute dangerous…