I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code.
The code is here: https://github.com/yohanes/akira-bruteforce
To clarify, multiple ransomware variants have been named Akira over the years, and several versions are currently circulating. The variant I encountered has been active from late 2023 to the present (the company was breached this year).
There was an earlier version (before mid-2023) that contained a bug, allowing Avast to create a decryptor. However, once this was published, the attackers updated their encryption. I expect they will change their encryption again after I publish this.
You can find various Akira malware sample hashes at the following URL:
https://github.com/rivitna/Malware/blob/main/Akira/Akira_samples.txt
The sample that matches my client’s case is:
bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
It is listed under the version: Linux V3. The sample can be found on virus.exchange (just paste the hash to search).
Note that the ransom message and the private/public keys will differ.
We do this not because it is easy, but because we thought it would be easy
I usually decline requests to assist with ransomware cases. However, when my friend showed me this particular case, a quick check made me think it was solvable.
Continue reading “Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs”