The encryption of the ransomware 'Akira' can be decrypted in about 10 hours using 16 RTX 4090s



It has been pointed out that the ransomware known as 'Akira,' which was discovered in 2023 and used to demand ransoms of several billion yen, may be able to decrypt encrypted files in a short time using NVIDIA's GPU 'RTX 4090.'

Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs – Tinyhack.com

https://tinyhack.com/2025/03/13/decrypting-encrypted-files-from-akira-ransomware-linux-esxi-variant-2024-using-a-bunch-of-gpus/



Blogger Tinyhack noticed that Akira uses the execution timestamp as a seed when generating the encryption key, and speculated that in theory, it would be possible to identify the seed and decrypt it by generating an encryption key in the same way based on the timestamp. However, Akira uses four different timestamps, so simply guessing one timestamp is not enough, and the complex keys are generated by applying the SHA-256 hash function 1,500 times for each timestamp, so it is not possible to deduce it in general.

So, Tinyhack showed that it is possible to decrypt the encryption by guessing the time when encryption was performed from the log file and performing a brute force attack on all timestamps in the guessed range. In fact, Tinyhack said he succeeded in recovering data from a certain company.



The RTX 4090, which is equipped with a large number of CUDA cores, is said to be ideal for this processing.

Using an RTX 4090 to find the correct four timestamps and generate the appropriate decryption key, it would take about seven days to decrypt a single file. If you scale that up to 16 machines, the process would take about 10 hours.

However, since the RTX 4090 is expensive, it is possible to substitute it with an RTX 3090. Alternatively, you can use a GPU cloud service such as runpod or vast.ai.



In addition, Avast released a decryption tool in 2023 as a countermeasure against Akira, but Akira has been updated to interfere with Avast's tool. Tinyhack pointed out that 'Akira will be updated again because I have published this method.'

The decryption code created by Tinyhack is available below.

GitHub - yohanes/akira-bruteforce

https://github.com/yohanes/akira-bruteforce



Related Posts:

in Security, Posted by log1p_kr