There's good news for any business which has fallen victim to the Akira ransomware.
Security researchers at anti-virus company Avast have developed a free decryption tool for files that have been encrypted since the Akira ransomware first emerged in March 2023.
The ransomware has been blamed for a number of high profile attacks - including ones against universities, financial institutions, and even a daycare centre for children.
Organisations hit by the Akira ransomware soon realise that they have a problem - many of their data files have been renamed to add the extension .akira, their contents garbled by an encryption algorithm, and a ransom note has been left by the cybercriminals in each folder.
Part of the extortion demand reads:
2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them in this case we won't be able to help.
It's not the hardest thing in the world to recover garbled files if (and it's a big if) your company followed best practices when it came to backups, and those backups can be easily accessed, and are not compromised.
But, of course, as we all know, it's often still the case that proper backup systems are not in place, or have not been properly tested to see if they will work properly if an emergency recovery of data is required.
And that's where a tool like the new free Akira decryptor from Avast comes in useful.
In order to crack the ransomware's password, Avast's tool asks for a sample Akira-encrypted file and a copy of the data file before it was hit by the ransomware attack.
The tool stresses that it is "extremely important" to pick a pair of files that are as large as possible, and precisely the same size. Although the password-cracking process "usually only takes a few seconds", the researchers warn that it does require a large amount of memory, and that for this reason it recommends using the 64-bit version of the decryption tool.
Presently Avast's tool only works on Windows, but the company says that it is working on a specific version that will also run on Linux. In the meantime, the Windows version of Avast's decryptor can be used to unlock files encrypted by the Linux version of the Akira ransomware, as well as its Windows counterpart.
Avast's researchers don't share any details of how they were able to find a way to decrypt files garbled by the Akira ransomware, and with good reason. Chances are that the gang behind the Akira attacks will be feverishly attempting to determine where the weakness in their code might be, and working on a new version of the Akira ransomware which can not be so easily defused.
Unfortunately even if you do manage to recover your data after an Akira ransomware attack, it's not necessarily the end of your headaches. That's because the cybercriminals behind the security breach have also stolen your data, and threaten to sell it on the dark web and publish it on their leak site to compound the difficulties for your company, its partners, and customers.
A ransomware decryption tool is definitely a great tool to have in your back pocket. But it's even better to stop a ransomware attack from succeeding in the first place.
Follow our advice on protecting organisations from ransomware attacks, including the following recommendations:
- make secure offsite backups.
- run up-to-date security solutions and ensure that your computers are protected with the latest security patches against vulnerabilities.
- restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- use hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypt sensitive data wherever possible.
- reduce the attack surface by disabling functionality that your company does not need.
- educate and inform staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
