Executive Summary

The cybersecurity community continues to grapple with the evolving threat of ransomware, with the Akira Ransomware (Linux/ESXI variant 2024) marking a recent challenge. This malicious software, active from late 2023 to the present, employs sophisticated encryption methods that render conventional decryption techniques ineffective. However, leveraging GPU-powered brute force methodologies has emerged as a promising solution to decrypt files compromised by this variant. This report delves into the technical intricacies of the decryption process, exploring the use of GPUs to expedite recovery from Akira's encryption mechanisms.

Technical Information

The Akira Ransomware (Linux/ESXI variant 2024) has been a formidable adversary for cybersecurity professionals due to its complex encryption mechanism. This ransomware variant utilizes a combination of KCipher2 and Chacha8 encryption algorithms, with each file being encrypted by a unique key generated through 1,500 rounds of SHA-256 hashing. The keys are derived from four unique timestamps, with the current time in nanoseconds serving as a seed for this process. The encrypted keys are stored as trailers, secured further by RSA-4096 encryption.

The decryption process begins with the identification of the critical timestamps, t3 and t4, which are instrumental in key generation. Given the multithreaded nature of Akira's encryption process, pinpointing these timestamps can be challenging. The precision required extends to the nanosecond level, a detail that complicates efforts when filesystem precision is limited, as observed in VMFS on ESXi systems.

To surmount these challenges, the implementation of GPU-powered brute force techniques has proven effective. By harnessing the computational power of GPUs, particularly through CUDA programming, the decryption process that would traditionally span weeks is reduced to mere hours. An RTX 3090 GPU can perform approximately 1.5 billion encryptions per second, a feat achieved by optimizing memory usage and minimizing unnecessary operations. This high-throughput capability is critical for comparing known plaintext with ciphertext to verify decryption accuracy.

Cost considerations play a significant role in determining the feasibility of GPU-powered decryption. Services like Runpod and Vast.ai offer GPU rentals that provide a cost-effective alternative to traditional decryption methods. In a recent successful decryption case, the use of an RTX 4090 GPU incurred costs of around $261 for a complete brute force operation, highlighting the potential for scalable and affordable recovery solutions.

Despite these advancements, the multithreaded nature of Akira's encryption introduces additional complexity. The synchronization of multiple threads can obscure the precise start time of encryption, complicating the determination of accurate timestamps. Moreover, network filesystems such as NFS, although not a factor in this specific case, could further exacerbate timing discrepancies by introducing synchronization challenges.

The successful decryption of files encrypted by Akira ransomware underscores the potential of GPU-powered brute force as a viable recovery strategy. The methodology and open-source tools developed provide a framework for organizations facing similar ransomware threats, offering a path to recovery that balances complexity with resource efficiency.

References

For further reading and resources, please refer to the following links:

• Tinyhack.com article: Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs https://tinyhack.com/2025/03/13/decrypting-encrypted-files-from-akira-ransomware-linux-esxi-variant-2024-using-a-bunch-of-gpus/
• CISA Advisory: #StopRansomware: Akira Ransomware https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
• GitHub Repository: Akira Brute Force Tool https://github.com/yohanes/akira-bruteforce
• Malware Sample Hashes: Akira Samples https://github.com/rivitna/Malware/blob/main/Akira/Akira_samples.txt
• MITRE ATT&CK Techniques: Initial Access (T1190), Credential Access (T1003), Defense Evasion (T1562.001), Exfiltration (T1048), Impact (T1486).

Rescana is here for you

At Rescana, we are committed to supporting our customers in navigating the complex landscape of cybersecurity threats. Our Third Party Risk Management (TPRM) platform is designed to identify and mitigate risks associated with third-party vendors, ensuring robust protection for your organization. Should you have any questions about this report or require assistance with any cybersecurity concern, we encourage you to reach out to us at ops@rescana.com. We are here to help you safeguard your digital assets effectively.