Stories with Tag akira

• Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours

  permalink

  Posted: 2025-03-17 11:06:24

  Verbose tl;dr

  Researchers have demonstrated a method for cracking the Akira ransomware's encryption using sixteen RTX 4090 GPUs. By exploiting a vulnerability in Akira's implementation of the ChaCha20 encryption algorithm, they were able to brute-force the 256-bit encryption key in approximately ten hours. This breakthrough signifies a potential weakness in the ransomware and offers a possible recovery route for victims, though the required hardware is expensive and not readily accessible to most. The attack relies on Akira's flawed use of a 16-byte (128-bit) nonce, effectively reducing the key space and making it susceptible to this brute-force approach.

  A recent report by Tom's Hardware details a significant breakthrough in combating the Akira ransomware, a malicious software that encrypts victims' files and demands payment for their release. Researchers at Sophos, a cybersecurity firm, have discovered a vulnerability in Akira's encryption implementation that allows for the recovery of encrypted data without paying the ransom. This vulnerability stems from Akira's usage of a relatively weak encryption key generation process. While Akira nominally uses a 256-bit encryption key, providing a theoretically immense number of possible combinations, the actual key generation method produces keys significantly weaker than a true 256-bit key would suggest.

  This weakness allows for a brute-force attack, a method of systematically trying all possible keys until the correct one is found, to become a feasible decryption strategy. Sophos researchers leveraged the immense computational power of sixteen Nvidia RTX 4090 GPUs, high-end graphics cards renowned for their parallel processing capabilities, to perform this brute-force attack. Utilizing these GPUs, they were able to successfully crack the Akira encryption and recover the encrypted data in approximately ten hours.

  This timeframe represents a substantial reduction in decryption time compared to traditional methods, and it highlights the potential of utilizing powerful hardware for breaking relatively weak encryption. While ten hours might still be considered a significant duration in some scenarios, it is substantially faster than the potentially weeks or even months required by other methods or the alternative of succumbing to the ransom demands. The discovery of this vulnerability and the successful demonstration of its exploitability offers a glimmer of hope for victims of Akira ransomware attacks, providing a potential pathway to data recovery without financially supporting criminal enterprises. This breakthrough also underscores the importance of robust encryption key generation in ransomware development, and serves as a reminder of the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. The research by Sophos has significantly weakened the Akira ransomware's effectiveness and could potentially lead to future developments in combating similar threats.

  • ransomware
  • akira
  • Cybersecurity
  • GPU
  • RTX 4090
  • Encryption
  • Decryption
  • brute-force
  • cracking
  • Exploit
  • information security
  • Computer Security
  • Hardware Acceleration
  • Nvidia
  • parallel processing

  Summary of Comments ( 11 )
  https://news.ycombinator.com/item?id=43387188

  Verbose tl;dr

  Hacker News commenters discuss the practicality and implications of using RTX 4090 GPUs to crack Akira ransomware. Some express skepticism about the real-world applicability, pointing out that the specific vulnerability exploited in the article is likely already patched and that criminals will adapt. Others highlight the increasing importance of strong, long passwords given the demonstrated power of brute-force attacks with readily available hardware. The cost-benefit analysis of such attacks is debated, with some suggesting the expense of the hardware may be prohibitive for many victims, while others counter that high-value targets could justify the cost. A few commenters also note the ethical considerations of making such cracking tools publicly available. Finally, some discuss the broader implications for password security and the need for stronger encryption methods in the future.

  The Hacker News post titled "Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours" has generated several comments discussing the implications of using powerful GPUs like the RTX 4090 for cracking encryption.

  Some users express skepticism about the practicality of this approach. One commenter questions the feasibility for average users, pointing out the significant cost of acquiring sixteen RTX 4090 GPUs. They suggest that while technically possible, the financial barrier makes it unlikely for most victims of ransomware. Another user echoes this sentiment, highlighting that the cost would likely exceed the ransom demand in many cases. They also raise the point that this method might only work for a specific vulnerability in Akira and wouldn't be a universal solution for all ransomware.

  Others discuss the broader implications of readily available GPU power. One comment points out the increasing accessibility of powerful hardware and its potential to empower both security researchers and malicious actors. They argue that this development underscores the ongoing "arms race" in cybersecurity, where advancements in technology benefit both sides. Another user suggests that this highlights the importance of robust encryption practices, as the increasing power of GPUs could eventually render weaker encryption methods vulnerable.

  A few comments delve into the technical aspects. One user questions the specific algorithm used by Akira and speculates on its susceptibility to brute-force attacks. Another user mentions the importance of key length and how it affects the time required for cracking, emphasizing that longer keys would significantly increase the difficulty even with powerful GPUs.

  One commenter points out the article's potentially misleading title. They clarify that the GPUs weren't cracking the encryption itself, but rather brute-forcing a password which was then used to decrypt the files. This distinction is important, as it implies a weakness in the implementation rather than the underlying encryption algorithm.

  Finally, a few users offer practical advice. One suggests using strong, unique passwords to protect against this type of attack, emphasizing the importance of basic security hygiene. Another user proposes that the best defense against ransomware remains regular backups, allowing victims to restore their data without paying the ransom.

  Overall, the comments reflect a mix of concerns about the practical implications of using GPUs for cracking ransomware, discussions about the broader cybersecurity landscape, and technical insights into the vulnerabilities highlighted by this specific case.

• Decrypting encrypted files from Akira ransomware using a bunch of GPUs

  permalink

  Posted: 2025-03-14 17:45:33

  Verbose tl;dr

  The blog post details a successful effort to decrypt files encrypted by the Akira ransomware, specifically the Linux/ESXi variant from 2024. The author achieved this by leveraging the power of multiple GPUs to significantly accelerate the brute-force cracking of the encryption key. The post outlines the process, which involved analyzing the ransomware's encryption scheme, identifying a weakness in its key generation (a 15-character password), and then using Hashcat with a custom mask attack on the GPUs to recover the decryption key. This allowed for the successful decryption of the encrypted files, offering a potential solution for victims of this particular Akira variant without paying the ransom.

  The blog post "Decrypting encrypted files from Akira ransomware (Linux/ESXi variant 2024) using a bunch of GPUs" details the author's successful attempt to break the encryption of the Akira ransomware, specifically the variant targeting Linux and ESXi systems that emerged in 2024. This variant employs a combination of AES and RSA encryption, rendering decryption a challenging endeavor. The author meticulously analyzed the ransomware's encryption process, discovering a vulnerability stemming from its implementation of the AES encryption key generation.

  Akira, like many ransomware strains, uses a symmetric encryption algorithm (AES) for encrypting the bulk of the files, ensuring speed. However, this AES key needs to be protected, so it is encrypted using an asymmetric algorithm (RSA) and stored with the encrypted files. The ransomware attackers hold the private RSA key, which is necessary to decrypt the AES key and subsequently the user's files. The author discovered that the Akira variant in question generated the AES encryption keys using predictable methods, deriving them from the current time. This predictable key generation created a limited keyspace, making it feasible to brute-force the AES key using sufficient computing power.

  Recognizing the computationally intensive nature of this brute-force attack, the author leveraged the parallel processing capabilities of GPUs. By implementing a decryption program optimized for GPU execution, they significantly accelerated the key search. The post details the specific GPUs used, emphasizing their hash rate capabilities and the overall speed improvement achieved through GPU acceleration.

  The author describes the iterative process of refining the decryption program and optimizing its performance on the GPUs. This involved testing various configurations and parameters to achieve the highest possible decryption speed. The post further explains the specific steps involved in cracking the encryption, including determining the time window within which the files were encrypted, which narrows down the potential AES keys generated from the timestamp.

  Ultimately, the author successfully decrypted the encrypted files, demonstrating the vulnerability of this particular Akira variant's encryption scheme. The post concludes with a call to action, urging other security researchers to investigate and expose vulnerabilities in ransomware, highlighting the importance of robust key generation practices in safeguarding against such attacks. While the success is tied to this specific variant and its flawed implementation, it serves as a valuable case study in ransomware analysis and the potential of utilizing GPU-accelerated computation for breaking encryption.

  • ransomware
  • akira
  • Decryption
  • GPU
  • Cybersecurity
  • Linux
  • esxi
  • file recovery
  • data recovery
  • Malware
  • information security
  • Encryption
  • parallel processing
  • accelerated computing

  Summary of Comments ( 44 )
  https://news.ycombinator.com/item?id=43365083

  Verbose tl;dr

  Several Hacker News commenters expressed skepticism about the practicality of the decryption method described in the linked article. Some doubted the claimed 30-minute decryption time with eight GPUs, suggesting it would likely take significantly longer, especially given the variance in GPU performance. Others questioned the cost-effectiveness of renting such GPU power, pointing out that it might exceed the ransom demand, particularly for individuals. The overall sentiment leaned towards prevention being a better strategy than relying on this computationally intensive decryption method. A few users also highlighted the importance of regular backups and offline storage as a primary defense against ransomware.

  The Hacker News post titled "Decrypting encrypted files from Akira ransomware using a bunch of GPUs" (linking to tinyhack.com/2025/03/13/...) generated several comments discussing the technical aspects and broader implications of the decryption process.

  Several commenters focused on the brute-force nature of the decryption, highlighting the significant computational resources required, specifically the use of multiple GPUs. They discussed the cost and time involved in such an undertaking, emphasizing that this approach is not a readily available solution for most victims. One commenter pointed out the importance of the relatively short key length (in this specific case) as crucial to the success of the brute-force method. They noted that longer keys would render this approach impractical due to the exponentially increasing computational demands.

  Another commenter questioned the practicality of the solution, suggesting that restoring from backups would be a more efficient approach in most scenarios. This spurred a discussion about the importance of robust backup strategies as a primary defense against ransomware attacks. Others countered that backups are not always foolproof, sometimes being targeted or unavailable, making decryption a viable option in certain situations.

  The conversation also touched upon the ethical implications of publishing decryption tools. One commenter expressed concern that publicly releasing such tools might incentivize ransomware developers to improve their encryption methods, making future attacks more difficult to counter. This sparked a debate about the balance between helping victims and potentially aiding future attackers.

  A few commenters delved into the technical details of the decryption process, discussing the specific algorithms and tools used. They also explored the limitations of the method, emphasizing its dependence on the specific characteristics of the Akira ransomware variant.

  Finally, some commenters expressed appreciation for the author's work, recognizing the effort involved in developing and sharing the decryption tool. They acknowledged the potential benefits for victims, while also acknowledging the complexities and limitations of the approach.