The dreaded Akira ransomware attack has had another hole blown through its hull. Blogger Tinyhack has discovered a new exploit to brute-force the virus's encryption and has reportedly already used it to restore the data of an attacked company. Akira, a well-known ransomware cyberattack, may now be escapable by affected companies thanks to a GPU-based brute-force counterattack. With an RTX 4090, the Tinyhack found they could crack the encrypted ransomware'd files in seven days, and with 16 GPUs, the process would take just over ten hours.
Akira is a ransomware attack aimed at high-profile targets, first discovered in 2023 and known for ludicrously high ransom requests (sometimes reaching tens of millions of dollars). In 2023, Avast's Threat Research Team found the method Akira used to encrypt victim files, and published a free encryption breaker tool to free computers from the dreaded attack. Akira then patched this high-profile crack, adding some bespoke details to its originally publicly-available encryption methods.
At least one Akira variant uses an encryption method that can be decrypted via the new GPU-based brute-force method over a period of days or weeks. The Akira attack uses the chacha8 and Kcipher2 encryption methods to generate per-file encryption keys, using four distinct timestamps, in nanoseconds, as seeds. These timestamps can be deduced to a tight range of on average 5 million nanoseconds (0.005 seconds), and then precisely found with brute-force, a process which requires the use of top-end GPUs such as Nvidia's RTX 3090 or 4090.
Several things must go right for those hoping to execute the decryption method. Encrypted files must be untouched following the encryption so the timestamp that the file was last accessed can be found and used for the brute-force. Using a NFS (as opposed to files just living on the network's local disks) can also complicate decryption, as server lag will make it more difficult to determine the true timestamps used by the encryption.
Using an RTX 4090, decrypting a single file by running through every possible nanosecond in the average range of 4.5 million nanoseconds, finding the correct four timestamps, and generating the appropriate decryption keys takes around 7 days. Affected organizations are recommended to rent servers through services like runpod or vast.ai, using multiple GPU servers to bring the time down. Tinyhack's client took around 3 weeks to successfully decrypt a full set of VM files.
Ransomware attacks are most often impossible to decrypt without paying ransom, so finding a method to circumvent the attack is a big win for cybersecurity research. While those behind Akira will likely quickly patch this method for future attacks as they did after the Avast decryption release, those already hit by Akira may be able to free infected systems with this method.
Tinyhack's blog post runs through the entire process of discovering the vulnerability and full instructions to decrypt with it, so please head there to get an exhaustive look at brute-forcing a way into Akira. Ransomware has come a long way since its beginnings on a floppy disk sent by mail, and today marks another victory against it.
