Avast researchers have recently made a breakthrough in decrypting files affected by the Akira ransomware. Since its appearance in 2017, Akira ransomware has been targeting various organizations, including those in the education, finance, and real estate sectors. Unlike most ransomware, Akira does not leave any ransom notes after encrypting the files, making it difficult for victims to know how to recover their data.
Akira ransomware is specifically designed for Windows platforms and utilizes a 64-bit Windows binary for encrypting files. It is written in C++ and relies heavily on C++ libraries. The ransomware uses symmetric encryption, with the encryption key generated by the CryptGenRandom() function in the Windows CryptAPI. It also employs ChaCha 2008 for encrypting files on affected systems.
Researchers have found that Akira ransomware has even affected Linux operating systems, using the Crypto++ library as a substitute for Windows CryptAPI. The ransomware excludes certain folders and file extensions from encryption by default. For example, it does not encrypt .exe, .dll, .lnk, .sys, and .msi files, as well as Akira_readme.txt. It also excludes folders such as “winnt,” “temp,” “thumb,” “$Recycle.bin,” “$RECYCLE.BIN,” “System Volume Information,” “Boot,” “Windows,” and “Trend Micro.”
Interestingly, there are similarities between Akira ransomware and Conti V2 Ransomware. Both ransomware strains share a list of excluded files and folders, use ChaCha 2008, and rely on CryptGenRandom and CryptEncrypt functions. Avast researchers believe that the authors of Akira ransomware may have drawn inspiration from Conti in developing their malware.
Avast has released a decryptor tool for Akira ransomware, offering both 64-bit and 32-bit versions for users to download. The decryptor tool requires users to submit two identical files—one original file and the other a file affected by Akira ransomware with the .akira extension. The tool then works to decrypt the files, which may take some time depending on the complexity of the encryption. Once the decryption process is complete, the tool prompts users to back up the decrypted files using the provided wizard.
In order to further assist users, Avast has provided a complete report and instructions on how to use the decryptor tool on their website. This resource guides users through the decryption process step by step.
It is worth noting that Akira ransomware uses a symmetric RSA-4096 cipher encryption key, which is appended at the end of the encrypted file. The public key, on the other hand, is hardcoded within the ransomware binary.
As the threat landscape continues to evolve, it is crucial for security researchers and organizations to work together to develop effective countermeasures. Avast’s success in decrypting Akira ransomware files showcases the importance of ongoing research in fighting against such malicious threats.