A programmer was able to decrypt the Akira strain of ransomware for Linux machines while helping a company that was breached, thereby recovering files and avoiding a ransom payment.
Programmer Yohanes Nugroho explained how he developed the decryption method in a blog post Thursday. Nugroho used this method to help a company that was breached this year recover their files.
Nugroho released the source code for his method on GitHub, which can be used by victims of the same Akira variant and requires the time stamps of affected files, known plaintext and ciphertext for comparison, and graphics processing units (GPUs) to brute force the encryption keys.
The Akira variant the decryption method is designed for has been active since late 2023 and affects Linux and ESXi machines. It is known as Akira Linux V3 and the exact sample hash for the variant is included in Nugroho’s blog post.
This variant uses KCipher2 to encrypt the first 65,535 (0xFFFF) bytes of each file and ChaCha8 to encrypt the remaining bytes. Importantly, the ransomware uses the current time, in nanosecond format, to generate seeds for encryption, making it possible to brute-force decryption when approximate encryption times are known.
How programmer reverse-engineered Akira ransomware
Nugroho reverse engineered the Akira sample and discovered it performs four random generations per file at four different times, two for KCipher2 (t3 and t4) and two for ChaCha8 (t1 and t2).
The fact that these times are related to each other complicates the brute-forcing process, requiring the offset between the first (t3) and second (t4) generations to be determined. This time varies between systems and files; for example, the company system Nugroho decrypted had a range of 1.5 to 5 million nanoseconds, requiring 4.5 quadrillion possible pairs to be brute-forced.
Additionally, the VMware VMFS filesystem only provides file modification time stamps down to the second and records the time stamp when the file is closed rather than when it is opened (when encryption starts).
Nugroho determined that the encryption start time of one file could be determined by the file modification time (encryption end time) of the previous file encrypted, providing the necessary information to brute-force the nanosecond time stamps needed.
Nugroho’s blog post discussed potential GPU set ups that can be used to run the brute-force decryption process, noting that an RTX 3090 can test about 1.5 billion encryptions per second.
“Testing 2 million offsets would require approximately 16 days on a single GPU, or just 1 day using 16 GPUs,” Nugroho wrote.
Rather than purchasing one or several GPUs, companies could consider affordable cloud-based GPU rental services like RunPod or Vast AI. The exact cost will depend on the number and size of encrypted files and the offset range (how many possible t3/t4 pairs need to brute forced). Nugroho noted he spent about $1,200 total for all of his tests and experiments.
Akira victims can use Nugroho’s code to aid in their own decryption, which requires them to obtain the time stamps and ciphertexts of the encrypted files, test their own server’s timing offsets using tools provided in Nugroho’s GitHub repo, and acquire the necessary GPU resources for brute forcing.
The method first brute forces the KCipher2 encryption by finding t3 and t4, and for large files, brute forces ChaCha8 by finding t1 and t2. This is possible once t3 is known, as the distance between t3 and t1 is less than 10 million nanoseconds.
After all four encryption seed initialization times are found, the user can use them to run the decryptor.
Nugroho noted it is possible the creators of the Akira ransomware will change their encryption methods to prevent this decryption method of being used. Avast published a decryptor for Akira in July 2023 by leveraging a vulnerability in the ransomware, leading this vulnerability to be fixed in later versions.
