Cybersecurity firm Avast has released a free decryptor for the Akira ransomware, enabling victims to recover their data without paying a ransom. Akira gained notoriety for targeting organizations across various sectors since its emergence in March 2023.
In June 2023, the operators expanded their attacks to include Linux systems, particularly VMware ESXi virtual machines, increasing the reach of their encryption attacks.
Avast’s analysis revealed that Akira employs a symmetric key generated by CryptGenRandom, encrypted by an RSA-4096 public key, and appended to the encrypted file, making decryption impossible without the private RSA key held by the threat actors.
Avast’s successful decryption efforts are attributed to their analysis of Akira’s encryption method, which involves partial file encryption.
For efficient processing, Akira on Windows encrypts files partially based on their size, encrypting only the first half of files smaller than 2,000,000 bytes and employing pre-calculated block sizes for larger files.
The Linux version of Akira allows operators to specify the percentage of files to encrypt. While the release of the decryptor offers relief to victims, it is expected that the Akira ransomware operators will study the decryptor to identify flaws in their encryption and address them to prevent future decryption attempts.
Avast has provided two versions of the decryptor for different Windows architectures, recommending the 64-bit version due to its higher system memory requirements.
To generate the correct decryption key, users must provide a pair of files—one encrypted by Akira and the other in its original plain-text form. Avast advises selecting large files as the original file’s size sets the upper limit for decryption. Additionally, the decryptor offers a backup option to safeguard encrypted files, reducing the risk of irreparable data corruption.
Although Avast is working on a Linux decryptor, users can currently utilize the Windows version to decrypt files encrypted in Linux by Akira.
