[HN Gopher] Decrypting encrypted files from Akira ransomware usi...
___________________________________________________________________
Decrypting encrypted files from Akira ransomware using a bunch of
GPUs
Author : costco
Score : 107 points
Date : 2025-03-14 17:45 UTC (5 hours ago)
(HTM) web link (tinyhack.com)
(TXT) w3m dump (tinyhack.com)
| fragmede wrote:
| > I expect [the attackers] will change their encryption again
| after I publish this.
|
| If they realize that, why publish this? Seems irresponsible at
| best to give a decryptor in such gory detail for what, Internet
| cred? It's an interesting read, and my intellectual curiosity is
| piqued, it just seems keeping the details to yourself would be
| better for the community at-large.
|
| > Everytime I wrote something about ransomware (in my Indonesian
| blog), many people will ask for ransomware help. ... > Just
| checking if the ransomware is recoverable or not may take several
| hours with a lot of efforts (e.g: if the malware is
| obfuscated/protected). So please don't ask me to do that for free
|
| So charge them for it?
| dylan604 wrote:
| once your files are encrypted by ransomware, does the
| encryption change if the malware gets updated? if not, then
| anyone currently infected with this version can now possibly
| recover.
|
| if they don't release their code, then what's the point of
| having the code? they accomplished their task, and now here you
| go for someone else that might have the same need. otherwise,
| don't get infected by a new version
| martinsnow wrote:
| Why don't you do the legwork instead of asking rhetorical
| questions?
| charcircuit wrote:
| Legwork of what? Companies already have done the legwork to
| make it easy for strangers to send you money.
| technion wrote:
| Companies that "do the legwork" of decrypting ransomware
| for the most part just pay the ransom on your behalf.
| tsujamin wrote:
| Presuming this results in a cryptosystem change for
| Akira, there's a real number of victims who won't get
| their data back as a result of this disclosure.
|
| Whether the number is more than that of victims to date
| who can recreate this? Who knows
| not2b wrote:
| It was already disclosed to the bad guys that someone
| managed to break their encryption, when they didn't get
| paid and they saw that the customer had somehow managed
| to recover their data. That probably meant they might go
| looking for weaknesses, or modify their encryption, even
| without this note.
|
| Other victims whose data were encrypted by the same
| malware (before any updates) could benefit from this
| disclosure to try to recover their data.
| bawolff wrote:
| How would they get their data back if someone
| theoretically knows how to decrypt but never tells
| anyone.
| IncreasePosts wrote:
| How would it be better, unless it's widely known to be
| breakable? And at that point, wouldn't the hackers know that
| too?
| __alexander wrote:
| Note: Someone commented on the "limited shelf-life" of ransomware
| and why this doesn't hurt other victims. They deleted their
| comment but I'm posting my response.
|
| You are incorrect. What is limited is the number of attacks that
| can be used for victims to recover their files. If you think the
| author is the only person that was using this attack to recover
| files, you are incorrect again. I'd recommend checking out book
| The Ransomware Hunting Team. It's interesting book about what
| happens behind the scene for helping victims recover their files.
| bawolff wrote:
| Anyone know why they are using timestamps instead of /dev/random?
|
| Dont get me wrong,im glad they don't, its just kind of surprising
| as it seems like such a rookie mistake. Is there something i'm
| missing here or is it more a caseof people who know what they are
| doing don't chose a life of crime?
| __alexander wrote:
| Rolling your own crypto is still a thing.
| mschuster91 wrote:
| If it works (reasonably) it works, and it throws wrenches
| into the gears of security researchers when the code isn't
| the usual, immediately recognizable S boxes and other
| patterns or library calls.
| dherls wrote:
| Charitable, use of system level randomness primitives can be
| audited by antivirus/EDR.
| throwaway48476 wrote:
| Ransomware would be less of a problem if applications were
| sandboxed by default.
___________________________________________________________________
(page generated 2025-03-14 23:00 UTC)