Decrypting encrypted files from Akira ransomware using a bunch of GPUs
21 comments
·March 14, 2025bawolff
Anyone know why they are using timestamps instead of /dev/random?
Dont get me wrong,im glad they don't, its just kind of surprising as it seems like such a rookie mistake. Is there something i'm missing here or is it more a caseof people who know what they are doing don't chose a life of crime?
0cf8612b2e1e
Even if the attackers used a fully broken since 1980s encryption-how many organizations have the expertise to dissect it?
I assume that threat detection maintains a big fingerprint databases of tools associated with malware. Rolling your own tooling, rather than importing a known library, gives one less heuristic to trip detection.
dherls
Charitable, use of system level randomness primitives can be audited by antivirus/EDR.
__alexander
Rolling your own crypto is still a thing.
mschuster91
If it works (reasonably) it works, and it throws wrenches into the gears of security researchers when the code isn't the usual, immediately recognizable S boxes and other patterns or library calls.
null
throwaway48476
Ransomware would be less of a problem if applications were sandboxed by default.
gblargg
Or if people backed up more often.
fragmede
> I expect [the attackers] will change their encryption again after I publish this.
If they realize that, why publish this? Seems irresponsible at best to give a decryptor in such gory detail for what, Internet cred? It's an interesting read, and my intellectual curiosity is piqued, it just seems keeping the details to yourself would be better for the community at-large.
> Everytime I wrote something about ransomware (in my Indonesian blog), many people will ask for ransomware help. ... > Just checking if the ransomware is recoverable or not may take several hours with a lot of efforts (e.g: if the malware is obfuscated/protected). So please don’t ask me to do that for free
So charge them for it?
cannonpalms
> why publish this?
New versions of Akira and any other ransomware are constantly being developed. This code is specific to a certain version of the malware.
As noted in the article, it also requires:
1. An extremely capable sysadmin 2. A bunch of GPU capacity 3. That the timestamps be brute-forced separately
So it's not exactly a turn-key defeat of Akira.
martinsnow
Why don't you do the legwork instead of asking rhetorical questions?
charcircuit
Legwork of what? Companies already have done the legwork to make it easy for strangers to send you money.
technion
Companies that "do the legwork" of decrypting ransomware for the most part just pay the ransom on your behalf.
null
dylan604
once your files are encrypted by ransomware, does the encryption change if the malware gets updated? if not, then anyone currently infected with this version can now possibly recover.
if they don't release their code, then what's the point of having the code? they accomplished their task, and now here you go for someone else that might have the same need. otherwise, don't get infected by a new version
IncreasePosts
How would it be better, unless it's widely known to be breakable? And at that point, wouldn't the hackers know that too?
Note: Someone commented on the “limited shelf-life” of ransomware and why this doesn’t hurt other victims. They deleted their comment but I’m posting my response.
You are incorrect. What is limited is the number of attacks that can be used for victims to recover their files. If you think the author is the only person that was using this attack to recover files, you are incorrect again. I’d recommend checking out book The Ransomware Hunting Team. It’s interesting book about what happens behind the scene for helping victims recover their files.