Groundbreaking GPU Technology Unlocks Akira Ransomware Data Recovery

• The Akira ransomware group’s victims have a way to potentially retrieve their locked data.
• A security expert reverse-engineered the ransomware process and discovered the encryption’s timing mechanism flaws.
• While time-intensive and resource-heavy, leveraging GPUs for speed dramatically speeds up brute-forcing.

Victims of the Akira ransomware (Linux/ESXi variant 2024) may be able to recover their data without paying hefty ransoms. A company has already successfully restored its encrypted files utilizing advanced brute-force techniques accelerated by GPUs.  

This discovery was shared by a cybersecurity expert who had a new breakthrough in ransomware decryption.

The ransomware, which has been active since late 2023, uses multiple timestamps and complex encryption algorithms, including KCipher2 and Chacha8. The decryption process hinges on recreating encryption timestamps down to the nanosecond level–a challenge made feasible using GPU computing power.

The Akira ransomware seeds its encryption algorithm with timestamps recorded in nanoseconds. Researchers narrow down the potential timestamps used by analyzing the modification times on a victim’s files and other logs, reducing the scope for a brute-force attack.

GPUs such as the RTX 3090 and RTX 4090 dramatically speed up the brute-forcing process. With the optimized code, GPUs can process up to 1.5 billion possible encryption operations per second. Cloud services like Runpod and Vast.ai were used to rent GPU time affordably, further accelerating the process.

Insights gained from reverse engineering Akira's C++ code revealed that it uses modified standard encryption algorithms with unique parameters, making public decryptors ineffective. The researcher optimized a GPU-based solution to address these unique complexities.

Akira often targets businesses that rely on VMware systems, so understanding the file headers and configurations associated with VMware files proved crucial. The decryption process required examining known file metadata and structure patterns to provide plaintext-ciphertext pairs necessary for brute-forcing.

While time-intensive and resource-heavy, the brute-force decryption method leverages GPUs to provide a viable alternative for victims reluctant to pay ransoms.  

However, the researcher cautions that such strategies are case-specific and heavily reliant on precise logs, untouched file metadata, and robust computational power. With Akira’s developers likely to respond by refining their malware, the window for using this method may be limited.

The researcher has shared the decryption code and process documentation on GitHub to help others recover from Akira ransomware attacks.

While recovering files is not guaranteed and requires significant computing costs, the method offers hope for organizations with critical data held hostage.