Mistakes in hacker code create a narrow opportunity for ransomware victims to recover data. Observers note that errors in Akira’s encryption method allowed an Indonesian programmer to release a free decryptor that restores files through GPU-based computation.
Ransomware operators behind Akira sought profit through extortion. An Indonesian programmer, Yohannes Nugroho, built a solution that exploits flaws in the code. Affected organizations, along with security researchers and law enforcement bodies, form the broader group of stakeholders.
The Akira ransomware relies on ChaCha8 encryption. A coding error opened a route for brute-force tactics. The free tool posted on GitHub restores files through cloud-based GPU calculations that guess the keys faster than a standard CPU setup.
Flawed hacker code reduces extortion advantage for threat actors. Victims regain access to vital data without paying ransom. Criminals lose financial gains when victims solve the encryption puzzle independently.
Previous coding mistakes in Akira surfaced in 2023, and researchers revealed ongoing oversights in current versions. Hackers appear to be reacting slowly to patch the vulnerabilities, giving defenders a temporary upper hand. Public releases of decryptors shorten the timeframe for victims to respond effectively.
Some victims recovered essential data. Insurance firms see lower payouts when a free decryptor works. Criminal groups continue operating but encounter skepticism among potential targets.
Future ransomware families will refine encryption to block brute-force weaknesses. Implementation errors remain frequent among hacker groups. The cycle of patching and exploitation is likely to continue, with occasional breakthroughs that enable free file recovery.
Ransomware authors with improved coding practices will hide new encryption routines that prove harder to analyze. Public decryptors spark new waves of retaliation from threat actors. Innocent targets risk repeated attacks when criminals sense easy paydays, so a continuous focus on backups and system resilience remains prudent.
GPU Performance Comparison Table: | GPU Model | Approximate Cryptographic Checks per Second | |————|———————————————| | RTX 3060 | 60 million | | RTX 3090 | 1.5 billion | | RTX 4090 | 3 billion |
Researcher Yohannes Nugroho has revealed details of the cracking method used to encrypt Akira ransomware and restore the original files.
Based on the results of his research, he developed a decryptor for the Linux version of Akira, which uses the computing power of the GPU to extract the decryption key and unlock files.
However, the method itself is not universal and only works with Akira 2024 variants.
Johannes took on the development of the decoder after his friend asked for help.
He then calculated that the encrypted system could be cracked in a week, given that Akira generates encryption keys using timestamps (in nanoseconds).
But due to unforeseen complications, it took three weeks and $1,200 to rent the graphics processing power that allowed the encryption key to be cracked.
The decryptor works differently than traditional decryption tools.
It iterates through the encryption keys (unique for each file) with the expectation that the Akira encryptor generates its encryption keys based on the current time as a seed.
An encryption seed is data used with cryptographic functions to generate strong, unpredictable encryption keys.
Akira doesn’t rely on a single moment in time, but uses four, each with nanosecond resolution.
Key generation is complex, involving 1500 rounds of SHA-256 for each timestamp.
The level of precision of timestamps realizes more than a billion possible values per second, which makes it difficult to guess keys using brute force.
Additionally, Akira on Linux encrypts multiple files at once using multithreading, making it difficult to determine the timestamp used and further complicating matters.
The researcher narrowed down the possible timestamps by reviewing log files shared by his friend.
This made it possible to see when the ransomware was launched, file metadata to estimate encryption completion time, and to create encryption benchmarks on different hardware to create predictable profiles.
Initial attempts using an RTX 3060 were too long, with a ceiling of only 60 million encryption tests per second. Upgrading to an RTC 3090 didn’t help either.
Eventually , the researcher turned to cloud services RunPod and Vast.ai to confirm the effectiveness of his tool.
Specifically, he used sixteen RTX 4090 GPUs to brute-force the decryption key in about 10 hours.
However, depending on the number of encrypted files that need to be recovered, the process may take several days.
The researcher noted in his paper that GPU experts could optimize his code, so performance could likely be improved.
The decryptor is available on GitHub along with instructions on how to recover files encrypted by Akira.
We See What Others Cannot
