Source URL: https://tinyhack.com/2025/03/13/decrypting-encrypted-files-from-akira-ransomware-linux-esxi-variant-2024-using-a-bunch-of-gpus/
Source: Hacker News
Title: Decrypting encrypted files from Akira ransomware using a bunch of GPUs
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text details a method of recovering data from the Akira ransomware without paying a ransom. The author shares insights into the reverse engineering of the ransomware, outlining the technical challenges and strategies used, including brute-force techniques and optimization with hardware like GPUs.
Detailed Description:
The article provides an extensive account of the author’s experience in recovering data from a variant of Akira ransomware, detailing the technical and practical aspects of their process. Key points include:
– **Ransomware Analysis and Characteristics**:
– Multiple variants of Akira ransomware have been noted, with the variant being dealt with having specific technical characteristics that were exploited for recovery.
– A previous version of the ransomware had a bug, leading to successful decryption attempts in the past, but subsequent updates removed this opportunity.
– **Reverse Engineering Techniques**:
– The process involved understanding the ransomware’s key generation, which relied on timestamps and utilized four unique time points for encryption. This complexity required a well-structured brute-force approach.
– Observations of file system behavior and timestamp recording were critical, as they influenced the timing-based exploits used in the recovery process.
– **Technical Challenges**:
– The analysis noted different levels of timestamp precision constraints across systems, complicating the brute-force process.
– The need for optimized encryption handling due to multithreading in the ransomware’s code, which required careful planning and testing for successful data recovery.
– **Brute Force Recovery Strategy**:
– The recovery required generating timestamps to seed the encryption process, effectively brute-forcing the keys used by the ransomware.
– The author shared details of “mini PC” setups, cost considerations, and performance optimizations through CUDA programming to speed up the decryption process. This included real-time results and metrics for performance improvement.
– **Cost Implications and Cloud Use**:
– The text discusses using cloud-based GPU rentals for the brute-forcing efforts, analyzing cost-effectiveness against different platforms.
– Platforms like Runpod and Vast.ai were highlighted, offering alternatives for high-performance computing for certain price points, considering the extensive hardware needs of the recovery process.
– **Code and Implementation Details**:
– Open sourced the recovery code enabling others to learn from or replicate efforts, reflecting a commitment to community sharing within cybersecurity.
– Offers practical advice on acquiring and utilizing required timestamps, ciphertext, and plaintext from the attacked system, underlining the real-world applicability of the provided methods.
– **Conclusion**:
– Success stories in ransomware recovery are exceptional, emphasizing that such cases are rare and labor-intensive.
– Encouragement for responsible handling and dissemination of information regarding ransomware solutions, with a note against free assistance requests to fund the extensive time and resources required for such tasks.
This analysis highlights critical techniques and methodologies for cybersecurity professionals engaged in ransomware incident response, shedding light on the potential for data recovery even in dire circumstances. The emphasis on understanding ransomware behavior, optimizing recovery techniques, and evaluating cost-effective computing resources offers valuable insights for professionals facing similar challenges.