Cybersecurity company Avast has released a free decryptor for Akira ransomware which can help victims to recover their data without paying any money to crooks.

Akira first published March 2023 and made a name for himself quickly amassing casualties as he targeted organizations around the world in a wide range of industries.

Starting in June 2023, Akira operators began deploying a Linux variant of their encryptor to attack VMware ESXi virtual machines, increasing the group’s exposure to encryption attacks.

Akira encryption

Avast’s analysis of Akira’s encryption scheme confirms previous reports, describing that the malware uses a symmetric key generated by CryptGenRandom, which is then encrypted by a bundled RSA-4096 public key and appended to the end of a encrypted file.

As the threat actors are the only ones with the private RSA decryption key, this should have prevented anyone from decrypting the files without first paying a ransom.

The Windows and Linux versions of Akira ransomware are very similar in the way they encrypt devices. However, the Linux version uses the Crypto++ library instead of Windows CryptoAPI.

Footer structure of an Akira-encrypted file
Footer structure of an Akira-encrypted file (avast)

Avast does not explain how it cracked Akira’s encryption, but the security company may have exploited the ransomware’s partial file encryption approach.

Akira on Windows only partially encrypts files for a faster process, following a different encryption system depending on file size.

For files smaller than 2,000,000 bytes, Akira will only encrypt the first half of the file contents.

For files larger than 2,000,000 bytes, the malware will encrypt four blocks based on a pre-calculated block size determined by the total file size.

The Linux version of Akira gives operators a “-n” command line argument that allows them to determine precisely what percentage of the victim’s files should be encrypted.

Unfortunately, now that a decryptor has been released, the Akira ransomware operation will likely dig into their code to find the flaw in their encryption and fix it, preventing future victims from recovering files for free.

Avast decryptor

Avast has released two versions of its Akira decryption software, one for 64 bit And one for 32 bit Windows architectures.

The security company recommends using the 64-bit version because cracking the password requires a lot of system memory.

Cracking the password can take a long time
Crack the password may take some time (avast)

Users must provide the tool with a pair of files, one encrypted by Akira and the other in its original plain text form, to allow the tool to generate the correct decryption key.

“It is extremely important to choose a pair of files that are as large as possible”, warns Avast.

“Due to Akira’s block size calculation, there may be a considerable difference on the size limit, even for files that differ by 1 byte in size.”

Pair of files scanned on the decryptor
Pair of files scanned on the decryptor (avast)

The size of the original file will also be the upper limit of a file that can be decrypted by Avast’s tool, so choosing the largest available is crucial for a complete data restoration.

Finally, the decryptor offers the possibility to save encrypted files before trying to decrypt them, which is recommended, because your data can be irreversibly corrupted in case something goes wrong.

Avast says they are working on a Linux decryptor, but victims can use the Windows version for now to decrypt all files that have been encrypted on Linux.

Source link