Decrypting Akira Ransomware Using GPUs to Brute-Force Encryption Keys

News Overview

• A programmer has developed a method to decrypt the Akira ransomware strain affecting Linux systems by utilizing Graphics Processing Units (GPUs) to brute-force encryption keys.

Original article link: Akira ransomware decryption method uses GPUs to brute force keys

In-Depth Analysis

• Akira Ransomware Variant: Active since late 2023, the Akira Linux V3 variant targets Linux and ESXi machines. It employs KCipher2 to encrypt the first 65,535 bytes of each file and ChaCha8 for the remaining data. The ransomware uses the current time in nanoseconds to generate encryption seeds, making decryption feasible if the approximate encryption times are known.

• Decryption Methodology: The programmer reverse-engineered the Akira sample and discovered it performs four random generations per file at different times: two for KCipher2 (t3 and t4) and two for ChaCha8 (t1 and t2). By determining the offsets between these generations and using known plaintext-ciphertext pairs, the method leverages GPUs to brute-force the encryption keys. An RTX 3090 GPU can test approximately 1.5 billion encryptions per second, requiring about 16 days to test 2 million offsets on a single GPU, or just 1 day using 16 GPUs.

• Resource Requirements: Victims can utilize the released source code to aid in decryption, requiring access to file timestamps, ciphertexts, and substantial GPU resources. Cloud-based GPU rental services offer a cost-effective alternative to purchasing hardware, with costs varying based on the number and size of encrypted files and the offset range.

Commentary

The development of this GPU-accelerated decryption method represents a significant advancement in combating ransomware attacks, offering victims a potential avenue to recover encrypted data without succumbing to ransom demands. However, it also underscores the continuous evolution of ransomware tactics, necessitating ongoing research and adaptive cybersecurity measures. Organizations should remain vigilant, regularly update their security protocols, and consider investing in robust backup solutions to mitigate the impact of such threats.