News

Akira ransomware now has a free decryptor

Security Parrot Editorial Team

Avast Releases Free Decryptor for Akira Ransomware Victims

Avast has released a free decryptor for files affected by Akira ransomware attacks, allowing victims to recover their data without paying a ransom to the attackers. The ransomware has been active since March 2023 and has managed to attack a number of organizations around the world, including Bluefield University, a state-owned bank in South Africa and a large forex broker London Capital Group.

How Akira Works

Akira works by using a symmetric key generated by CryptGenRandom, which is then encrypted with the associated RSA-4096 public key and appended to the end of the encrypted file. This means that only the hackers possess the RSA private key, which should have prevented other parties from decrypting the files without paying a ransom.
The Windows and Linux versions of Akira are very similar in how they encrypt devices. However, the Linux version uses the Crypto++ library instead of the Windows CryptoAPI.

Avast’s Decryption Tool

Avast has released two versions of the decryption tool, one for 64-bit and one for 32-bit Windows architecture. Experts recommend using the 64-bit version because password cracking requires a lot of memory.
In order for the tool to be able to generate a valid decryption key, the user needs to provide it with a couple of files, one of which is encrypted by Akira, and the other is the original in text form.
“It’s very important to choose a couple of files that are as large as you can find,” Avast writes. The size of the original file will become the upper limit for files that the Avast tool can decrypt, so choosing the largest available file is critical to complete data recovery.
Avast’s analysis of Akira’s encryption scheme confirmed previous findings that the malware uses a partial file encryption system to speed up the process. For example, for files smaller than 2,000,000 bytes, Akira only encrypts the first half of the file’s contents. For files larger than 2,000,000 bytes, the malware will encrypt four blocks based on a pre-calculated block size determined by the total file size.
It is speculated that Avast may have exploited this partial file encryption system to break Akira’s encryption. However, the company has not revealed exactly how they were able to do this.
The media reported that the file decryption tool was secretly used by incident responders for several months before Avast developed and released its own version available to everyone.
Avast’s free decryptor for Akira ransomware victims is a welcome relief for those affected by the malicious software. By providing a way to recover data without paying a ransom, Avast has made it easier for victims to get their data back without having to worry about the financial implications of a ransomware attack.

Share this Article
Exit mobile version
Lost your password?