New Akira Ransomware Decryptor Leans on Nvidia GPU Power
A security researcher has given victims of the prolific Akira ransomware hope that they can recover their encrypted data without having to pay a ransom.
Yohanes Nugroho, a software programmer from Indonesia who writes the Tinyhack blog, said he found a way to brute-force the malware’s encryption using Nvidia GPUs that already has proven successful with one of the ransomware’s victims.
In a highly detailed blog post, Nugroho runs through the three-week process of developing the decryptor, nothing that his initial thought after a first look at the challenge was, “This should be easy – just brute-force it by looking at the file timestamps. How hard can it be?”
“It turned out to be more complicated than expected,” he added.
Such a decryptor is critical given the rising number of attacks by threat groups using the Akira ransomware-as-a-service (RaaS) and the massive amounts of ransoms demanded. The ransomware emerged in early 2023 and within four months had claimed more than five dozen victims. By the middle of last year, the number of victims had grown to more than 250 and generated more than $42 million in ransom payments, according to CISA and the FBI.
It also was evolving quickly, initially coming out with a variant that targeted Windows systems but then developing a Linux variant targeting VMware ESXi virtual machines.
Avast in 2023 created a decryptor that addressed the Windows-focused variant that included a flaw the cybersecurity firm exploited, but it only worked on Windows systems and after it was published, the attackers updated their encryption to protect the malware against it.
A Complex Puzzle to Solve
Nugroho wrote that friend brought the case of a company that had been attacked by the Linux-focused variant of Akira, and a first look showed that the ransomware uses the current time in nanoseconds as a seed, which made it possible to attack using brute-force methods. On his Linux machine, file modifications times have nanosecond resolution. He also was given a screenshot of a partial log that showed when the ransomware was executed, with millisecond resolution.
However, there were complicating factors. The variant he was dealing with has been active since late 2023, noting that the case he was looking at was from a company that was breached this year.
Encryption Methods a Challenge
The variant Nugroho addressed uses KCipher-2 and ChaCha8 encryption methods uses four distinct timestamps rather than one, and each of the four uses nanosecond resolution, with the first two and last two being related, making it impossible to brute force the time one by one. Each file ends up with a unique key, and key generation is complex, involving 1,500 rounds of SHA-256 encryption for each timestamp.
In addition, the malware uses multiple threads during execution, encrypting multiple files at the same time.
Adding to the challenge was that the VMware VMFS filesystem records only file modification times with precision in seconds and not all ESXi hosts have millisecond resolution in their log files. Some also have second-level precision.
He did catch a break: the malware’s code is written in C++, which he wrote is difficult to read. However, in this case, it wasn’t obfuscated.
The Power of GPUs
To break the encryption, Nugroho turned to GPUs. That work included leveraging ChatGPT to find ways to port the code to CUDA, Nvidia’s parallel computing platform for its GPUs. After some manual effort by the programmer, the code began to work. After that, the task was finding the right chips to use.
He initially used a Nvidia GeForce RTX 306090 GPU, but found it too slow, at best generating 60 million encryption tests a second. He upgraded RTX 3090, bumping up performance to about 1.5 billion encryptions per second, which meant testing 2 million offsets would require about 16 days on a single GPU or one day using 16 chips.
A jump to the RTX 4090 had the best results. The GPU is 60% more expensive than the RTX 3090, but faster, running 2 million offsets in seven days and – with 16 of the GPUs – dropping that to just more than 10 hours.
Nugroho suggested running the workloads in the cloud, pointing to RunPod or Vast AI as cost-effective options. He noted that that performance likely can be improved by GPU experts who can optimize the code, adding that it’s probable that the Akira bad actors – as they did after Avast launched it decryptor – will eventually upgrade its code to close weaknesses that made his decryptor effective.
All told, he spent about $1,200 to develop the decryptor, which had made available on GitHub.
