Avast, a cybersecurity company, has developed a free tool to help victims of Akira ransomware restore their data without giving any money to the attackers.
The Akira ransomware is a malicious software that encrypts the files of its victims and demands a ransom for their decryption. The ransomware was first detected in March 2023 and has since infected thousands of organizations across various industries worldwide.
However, there is good news for the victims of Akira. Cybersecurity firm Avast has developed and released a free decryptor tool that can help them recover their data without paying any money to the attackers. The decryptor is available on Avast's website and can be used by anyone who has been affected by the Akira ransomware.
Akira ransomware targets VMware ESXi virtual machines with a Linux variant of its encryptor since June 2023, increasing the risk of losing important data.
According to Avast's research, Akira ransomware uses a symmetric key created by CryptGenRandom to encrypt the files, and then encrypts the key with a RSA-4096 public key that is embedded in the malware. The encrypted key is added to the end of each encrypted file.
Only the attackers have the private RSA key that can decrypt the files, so normally the victims would have to pay a ransom to get it.
The Linux and Windows versions of Akira ransomware have similar encryption methods. The main difference is that the Linux version uses the Crypto++ library instead of Windows CryptoAPI.
Structure of the footer of a file encrypted by Akira (Avast)
The security firm Avast has cracked the encryption of Akira ransomware, which targets both Windows and Linux systems. However, the details of how Avast achieved this feat are not disclosed. Akira uses a partial file encryption technique to speed up the infection process, but this may have also exposed a weakness in its algorithm.
Akira encrypts files differently depending on their size and platform. On Windows, files smaller than 2 MB are encrypted only in the first half, while files larger than 2 MB are divided into four blocks and encrypted accordingly. On Linux, the attackers can specify the percentage of file contents to be encrypted using an "-n" command line argument.
This decryptor is a welcome relief for the victims of Akira, but it may not last long. The ransomware operators are likely to patch their encryption flaw and make their malware more resilient to future decryption attempts.
The company advises using the 64-bit variant because breaking the password needs a lot of memory resources.
Cracking the password may take some time (Avast)
File pair analyzed on the decryptor (Avast)
Users have to supply the tool with a pair of files, one altered by Akira and one in its original unencrypted form, to enable the tool to generate the right decryption key.
"Choosing a pair of files that are as large as possible is very important," cautions Avast.
"Due to Akira's block size computation, there may be significant difference on the size limit even for files that differ by a size of 1 byte."
To restore your data completely, you need to select the largest file size that matches the original file size before encryption. This is because Avast's tool can only decrypt files up to that size limit.
The tool also gives you the option to create backups of your encrypted files before trying to decrypt them. This is a good practice, as there is a risk of losing your data permanently if something goes wrong during the decryption process.
Avast is developing a Linux version of the tool, but for now, Linux users can use the Windows version to decrypt their files that were encrypted in Linux.
Ransomware is a serious threat that can disrupt your business operations and damage your reputation. The best way to deal with ransomware is to prevent it from happening in the first place. That's why you need to be prepared and have a robust security strategy in place. Webcheck Security is a trusted security consulting firm that can help you assess your ransomware readiness and implement best practices to protect your data and systems. Don't wait until it's too late, contact Webcheck Security today and get peace of mind.