Source: Bleeping Computer
Summary
A new decryptor is now available to help victims of Akira ransomware restore their files without having to pay the ransom. The tool is currently available for Windows users but can also be used to decrypt files that were encrypted using the Linux version of Akira. A full Linux version of the decryptor is in development.
Akira, which takes its name from a Japanese cyberpunk manga, is a prolific ransomware claiming dozens of victims since it was first spotted in May 2023. Researchers have noted similarities between Akira and the now-defunct Conti ransomware group, including the:
- Disregard of certain files and directories
- Use of stream cipher ChaCha 2008
- Same file tails
While this isn’t enough to conclude that Akira is related to Conti, it suggests that Akira’s developers were likely inspired by leaked Conti code.
Analysis
The public release of a ransomware decryptor is a major blow to Akira’s ransomware operation. With a free and easy way to decrypt their files, victims are very unlikely to now pay a ransom. As a result, Akira may change tactics in both the short and long term.
Field Effect expects that Akira will quickly examine its ransomware code to identify the vulnerability researchers were able to exploit to build the decryptor. Once found, a new and improved version of Akira will be used which the current decryptor will have no ability to decrypt. Akira will likely also adopt other techniques such as ‘double extortion’ to ensure the release of additional decryptors does not lower the chances of victims paying the demanded ransom.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for new TTPs. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate threat activity like ransomware. Covalence users are automatically notified when ransomware is detected in their environment and are encouraged to review these AROs as quickly as possible.
References
