The blog post details a successful effort to decrypt files encrypted by the Akira ransomware, specifically the Linux/ESXi variant from 2024. The author achieved this by leveraging the power of multiple GPUs to significantly accelerate the brute-force cracking of the encryption key. The post outlines the process, which involved analyzing the ransomware's encryption scheme, identifying a weakness in its key generation (a 15-character password), and then using Hashcat with a custom mask attack on the GPUs to recover the decryption key. This allowed for the successful decryption of the encrypted files, offering a potential solution for victims of this particular Akira variant without paying the ransom.
The blog post "Decrypting encrypted files from Akira ransomware (Linux/ESXi variant 2024) using a bunch of GPUs" details the author's successful attempt to break the encryption of the Akira ransomware, specifically the variant targeting Linux and ESXi systems that emerged in 2024. This variant employs a combination of AES and RSA encryption, rendering decryption a challenging endeavor. The author meticulously analyzed the ransomware's encryption process, discovering a vulnerability stemming from its implementation of the AES encryption key generation.
Akira, like many ransomware strains, uses a symmetric encryption algorithm (AES) for encrypting the bulk of the files, ensuring speed. However, this AES key needs to be protected, so it is encrypted using an asymmetric algorithm (RSA) and stored with the encrypted files. The ransomware attackers hold the private RSA key, which is necessary to decrypt the AES key and subsequently the user's files. The author discovered that the Akira variant in question generated the AES encryption keys using predictable methods, deriving them from the current time. This predictable key generation created a limited keyspace, making it feasible to brute-force the AES key using sufficient computing power.
Recognizing the computationally intensive nature of this brute-force attack, the author leveraged the parallel processing capabilities of GPUs. By implementing a decryption program optimized for GPU execution, they significantly accelerated the key search. The post details the specific GPUs used, emphasizing their hash rate capabilities and the overall speed improvement achieved through GPU acceleration.
The author describes the iterative process of refining the decryption program and optimizing its performance on the GPUs. This involved testing various configurations and parameters to achieve the highest possible decryption speed. The post further explains the specific steps involved in cracking the encryption, including determining the time window within which the files were encrypted, which narrows down the potential AES keys generated from the timestamp.
Ultimately, the author successfully decrypted the encrypted files, demonstrating the vulnerability of this particular Akira variant's encryption scheme. The post concludes with a call to action, urging other security researchers to investigate and expose vulnerabilities in ransomware, highlighting the importance of robust key generation practices in safeguarding against such attacks. While the success is tied to this specific variant and its flawed implementation, it serves as a valuable case study in ransomware analysis and the potential of utilizing GPU-accelerated computation for breaking encryption.
Summary of Comments ( 44 )
https://news.ycombinator.com/item?id=43365083
Several Hacker News commenters expressed skepticism about the practicality of the decryption method described in the linked article. Some doubted the claimed 30-minute decryption time with eight GPUs, suggesting it would likely take significantly longer, especially given the variance in GPU performance. Others questioned the cost-effectiveness of renting such GPU power, pointing out that it might exceed the ransom demand, particularly for individuals. The overall sentiment leaned towards prevention being a better strategy than relying on this computationally intensive decryption method. A few users also highlighted the importance of regular backups and offline storage as a primary defense against ransomware.
The Hacker News post titled "Decrypting encrypted files from Akira ransomware using a bunch of GPUs" (linking to tinyhack.com/2025/03/13/...) generated several comments discussing the technical aspects and broader implications of the decryption process.
Several commenters focused on the brute-force nature of the decryption, highlighting the significant computational resources required, specifically the use of multiple GPUs. They discussed the cost and time involved in such an undertaking, emphasizing that this approach is not a readily available solution for most victims. One commenter pointed out the importance of the relatively short key length (in this specific case) as crucial to the success of the brute-force method. They noted that longer keys would render this approach impractical due to the exponentially increasing computational demands.
Another commenter questioned the practicality of the solution, suggesting that restoring from backups would be a more efficient approach in most scenarios. This spurred a discussion about the importance of robust backup strategies as a primary defense against ransomware attacks. Others countered that backups are not always foolproof, sometimes being targeted or unavailable, making decryption a viable option in certain situations.
The conversation also touched upon the ethical implications of publishing decryption tools. One commenter expressed concern that publicly releasing such tools might incentivize ransomware developers to improve their encryption methods, making future attacks more difficult to counter. This sparked a debate about the balance between helping victims and potentially aiding future attackers.
A few commenters delved into the technical details of the decryption process, discussing the specific algorithms and tools used. They also explored the limitations of the method, emphasizing its dependence on the specific characteristics of the Akira ransomware variant.
Finally, some commenters expressed appreciation for the author's work, recognizing the effort involved in developing and sharing the decryption tool. They acknowledged the potential benefits for victims, while also acknowledging the complexities and limitations of the approach.