Наталя Хандусенко Hot News 17 March 2025, 17:55

Security researcher breaks one of the most powerful ransomware attacks using GPU power

The method is a bit expensive to restore all encrypted files, but it should still be cheaper than paying the ransom.

Security researcher Johans Nugroho was approached by a friend whose system was infected with the Akira virus on Linux. After analyzing log files, they determined that Akira generates encryption keys using nanosecond timestamps, TechRadar reports .

The encryption seed is the initial value used to generate the encryption keys that lock the victim’s files. It plays a crucial role in the encryption process, often determining how the encryption key will be obtained. In the case of Akira, the encryptor dynamically generates unique encryption keys for each file using four timestamps. The keys are then encrypted using RSA-4096 and appended to the end of each encrypted file. In addition, Akira encrypts more files at once thanks to multi-threading.

However, by reviewing the logs, the researcher was able to determine the time the ransomware was launched, and using the metadata, the time the encryption was completed. He was then able to create a brute-force tool that could find the key for each individual file. Running the tool on a pre-installed system was found to be inefficient, as it took too long to run on the RTX 3060 and RTC 3090.

The researcher then chose cloud GPU services RunPod and Vast.ai, which provided enough computing power at a reasonable price to make the process efficient. He used 16 RTX 4090 GPUs to find the decryption key in about 10 hours. Depending on the number of files locked, the entire process could take less or more time.

The project took three weeks and $1,200, but the system was saved. The decryptor is available on GitHub , and the researcher added that the code can probably be optimized to work even better. It is worth noting that before conducting any such experiment, victims should first create backup copies of their files, in case something goes wrong.

After being fired, an American programmer activated malicious code that locked out thousands of company employees around the world. How he was punished

Police arrest 4 Russians who lead 8bas ransomware hacking group that carried out over 1,000 attacks worldwide