Threat Research

Decrypted: Akira Ransomware – Avast Threat Labs

Securonix

Avast researchers developed and released a decryptor for the Akira ransomware and outline how Akira encrypts files, generates keys, and drops ransom notes. The article also notes similarities to Conti and explains how to use the Avast decryptor on Windows (and via WINE on Linux) to recover encrypted data, with Tor-based payment sites referenced in the ransom notes. #AkiraRansomware #AvastDecryptor #Conti #akira_readme.txt

Keypoints

  • Avast released a decryptor for Akira ransomware and provides guidance for decrypting files on Windows and Linux via WINE.
  • Akira encrypts files using ChaCha 2008 with a symmetric key wrapped by RSA-4096 and the public key hardcoded in the binary.
  • Files targeted by Akira are determined by an exclusion list (e.g., .exe, .dll, .lnk, .sys, .msi, akira_readme.txt) and ignores folders like Windows, Temp, Trend Micro, and others.
  • Encrypted files get the .akira extension, and a ransom note named akira_readme.txt is dropped in each folder, linking to Tor sites for hacking victims and payment instructions.
  • Encryption for small files (
  • The Linux version mirrors the Windows encryption schema and uses Crypto++ instead of CryptoAPI; Avast indicates a Linux decryptor is in development and suggests using the Windows decryptor via WINE.
  • Similarities to Conti include identical file-type and directory exclusions, Conti-like file tail structure, and comparable ChaCha 2008 and key-generation methods.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Akira encrypts files on disk using ChaCha 2008 and secures the symmetric key with RSA-4096, appending the encrypted key to the file. Quote: ‘Files are encrypted by ChaCha 2008 (D. J. Bernstein’s implementation).’

Indicators of Compromise

  • [Hash] Windows version sample hashes – 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c, 5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5 and 7 more hashes
  • [Hash] Linux version sample hash – 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
  • [Extension] .akira – Encrypted files carry this extension
  • [Filename] akira_readme.txt – Ransom note dropped in each folder

Read more: https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint