Decrypting Akira Ransomware on Linux/ESXi Without Paying Hackers

A team successfully decrypted an instance of the Akira ransomware on Linux/ESXi systems without succumbing to the hackers’ demands.

This achievement not only underscores the ingenuity of cybersecurity experts but also serves as a powerful message to those who rely on extorting from vulnerable businesses and individuals.

The Akira ransomware, known for its complex encryption mechanisms, has evolved over time, with newer variants posing significant challenges to cybersecurity professionals.

The variant discussed here, active since late 2023, required innovative approaches to bypass its encryption.

Background on Akira Ransomware

Akira ransomware has been a notable threat, with multiple versions surfacing over the years.

An earlier version, which contained a bug allowing Avast to develop a decryptor tool, was effectively patched by the attackers once exposed. This pattern suggests that the malware continues to evolve in response to security efforts, as per a report by Security Researchers.

To combat the latest iteration, researchers focused on understanding its encryption process. The ransomware uses nanosecond-resolution timestamps to seed its Yarrow256 algorithm, generating unique encryption keys for each file.

This process involves multiple rounds of SHA-256 hashing, making brute-force attacks seem daunting.

Decrypting Process: Understanding the Encryption

The encryption process can be outlined as follows:

1. Random Key Generation: The ransomware generates random keys using the current time in nanoseconds as a seed. This seed is used in conjunction with the Yarrow256 algorithm, which is seeded and reseeded multiple times.

void generate_random(char *buffer, int size) {
    uint64_t t = get_current_time_nanosecond();
    char seed[32];
    snprintf(seed, sizeof(seed), "%lld", t);
    struct yarrow256_ctx ctx;
    yarrow256_init(&ctx, 0, NULL);
    yarrow256_seed(&ctx, strlen(seed), seed);
    yarrow256_random(&ctx, size, buffer);
}

2. Encryption Process: Each file is divided into blocks. The first part of each block is encrypted using KCipher2, while the rest is encrypted with Chacha8. The keys generated are then encrypted using RSA-4096 and saved at the end of the file.

3. Brute-Force Approach: Given the complexity of the encryption, a brute-force method was adopted. This involved guessing possible nanosecond timestamps when the encryption occurred, generating keys based on these timestamps, and testing them against known plaintexts from files like flat-VMDKs.

VMware File Types: Identifying Plaintext

To perform brute-force attacks efficiently, plaintext samples are necessary. For VMware files, the following strategies were employed:

• Flat-VMDKs: These files can provide the initial 8 bytes needed for brute-forcing KCipher2 encryption. Identifying them requires knowing the original VM’s OS, which can be deduced from VMX files.
• Sesparse: These files have a unique header and, at offset 65,535, contain zeros, providing additional plaintext for Chacha8 encryption.

Feasibility and Optimization

While brute-forcing seemed unfeasible at first, optimizations made it more practical.

Initial estimates suggested a processing time of about 100,000 timestamp-to-random bytes conversions per second on a single CPU. This was significantly improved using GPUs, reducing conversion times from hours to minutes.

To further refine the search, log files from ESXi hosts were used to estimate when the encryption occurred. Although these logs may only offer second-level precision, they help narrow down the search space.

To optimize brute-forcing, the following steps were taken:

1. Enumeration: Given the complexity of directly guessing four timestamps, a strategy was developed to estimate ranges based on the malware’s execution time and system variability.
2. GPU Acceleration: With GPU acceleration, the processing speed increased dramatically, allowing for faster enumeration of possible timestamp pairs.
3. Known Plaintext: The first 8 bytes of files like flat-VMDKs served as critical plaintext. For larger files, additional plaintext at offset 65,535 was used.

The full source code for the brute-force tool used in this recovery effort is available on GitHub, providing a comprehensive framework for those facing similar challenges:

https://github.com/yohanes/akira-bruteforce

This achievement serves as a beacon of hope for organizations hit by ransomware. By understanding and exploiting vulnerabilities in the encryption process, cybersecurity experts can develop effective countermeasures, often without needing to engage with hackers.

However, it’s crucial to note that with each success, these threats evolve, emphasizing the ongoing need for vigilance and innovation in digital security.

The approach outlined here applies to specific versions of Akira ransomware. As malware evolves, new methods may be needed to address updated encryption techniques.

By leveraging technological advancements and collaborative efforts, the fight against ransomware continues to gain momentum. In the battle against cyber threats, resilience and innovation will remain paramount.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.