It's not often we talk about brute force as a good thing in the computer space. Usually it's in reference to hackers demanding money, or even worse, that game for the original Xbox. This time the practice of bombarding a system with digits hoping to find the right ones has worked for the good guys, with Akira ransomware being cracked in just seven days by a lone RTX 4090.
Tom's Hardware spotted the work by Tinyhack, who's responsible for the exploit. The blogger has detailed the adventure which included helping a company restore data after the attack with brute forcing methods. It's pretty incredible to see this kind of work being carried out on a consumer, if quite high-end graphicscard.
Akira, as a name, can cover a range of ransomware, and it's been known for a while that some, but not all, share a brute forcible weakness. Avast's research team were the first to find the exploit and posted a free tool around it back in 2023. Of course, since then those variants of Akira have been patched and updated, but the knowledge obtained from fighting them still proves useful.
The kind of Akira attack this solution works on are using the chacha8 and Kcipher2 encryption methods. These are known methods, and here they're used to generate unique per-file encryption keys. To try to make these as difficult as possible to decrypt, it uses four distinct timestamps, in nanoseconds, as seeds to generate.
Using the time stamps is good and bad for Akira's encryption. On the one hand it means decrypting this way is only possible if the files are unchanged and still have the time stamp. It can also hide in server lag. So when trying to decrypt, we can't get the exact timestamp, but we can get close enough (on average within 5 million nanoseconds) to then hand it over to the machines for a final brute forced beat down.
Again that's only if we're lucky enough to have all these stars align in the first place.
But I still think the most exciting part of Tinyhacks's exploit is that it was all done on one RTX 4090 in just seven days to get the keys. It then took a further three weeks for the client to get their full virtual machine back, but without having to pay the ransom. Adding in more GPUs would make this much faster; it's estimated it'd only take 10 hours with 16 of these GPUs on the job. I wonder how a new RTX 50-series card would fair.
Tinyhack's blog has the full deep dive on how they managed this incredible recovery. It includes a link to the full code on github, as well as another to known hash codes for Akira ransomware. Though it's worth remembering this isn't always going to work, and you'd still have to get pretty lucky to recover your data after an attack, as Tinyhack notes in their conclusion.
"Probably 99.9% of the time when you get a ransomware, it won’t be recoverable without the key. But if you are lucky, sometimes it is possible to find a solution."
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Nvidia has cut the MSRP of RTX 50-series FE cards in the UK and Europe and that means... not a whole lot right now
Nvidia's expanded Zorah demo tells us how AI is the future of graphics: 'There's no rasterization going on at all. This is all ray traced and the amazing part is that it's actually faster than rasterizing'
