The Linux version of the Akira ransomware works identically like its Windows counterpart. First, the size of a full block is calculated (see Figure 1).įigure 7: Akira TOR site instructing victim on how to pay ransom. The structure of such an encrypted file is as follows: Block typeįor files sizes greater than 2,000,000 bytes, Akira encrypts four blocks. For files of 2,000,000 bytes and smaller, the ransomware encrypts the first half of the file. Encryption Schema for Small Filesįiles are encrypted depending on their size. There is even the legacy winnt folder, which was used as default folder for installation of Windows 2000. Whilst ransomware strains usually have a list of file types to encrypt, Akira has a list of files not to encrypt:įurthermore, there are folders that are always ignored by Akira: When searching files for encryption, Akira is not especially fussy. Public key is hardcoded in the ransomware binary and differs per sample. The symmetric key is encrypted by the RSA-4096 cipher and appended to the end of the encrypted file. Akira Encryption Schemaĭuring the run, the ransomware generates a symmetric encryption key using CryptGenRandom(), which is the random number generator implemented by Windows CryptoAPI. The Linux version is 64-bit and uses the Boost library. In June 2023, a security researcher rivitna published a sample that is compiled for Linux. The binary is linked by Microsoft Linker version 14.35. Additionally, Boost library was used to implement the asynchronous encryption code. It is written in C++ with heavy support from C++ libraries. The Akira ransomware comes as a 64-bit Windows binary written for Windows operating system. Note that this ransomware is not related to the Akira ransomware discovered by Karsten Hahn in 2017 and our decryptor cannot be used to decrypt files from this old variant. Skip to how to use the Akira Ransomware Decryptor The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others. Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |