There is good news for any business that has fallen victim to the Akira ransomware.
Security researchers at the Avast antivirus company have developed a Free decryption tool For files encrypted since the first appearance of the Akira ransomware in March 2023.
The ransomware has been blamed for a number of high-profile attacks – including ones against universities, financial institutions and even a children’s daycare.
Organizations affected by the Akira ransomware soon realize they have a problem – many of their data files have been renamed to add the plugin .akiraTheir contents were scrambled by an encryption algorithm, and a ransom note was left by the cybercriminals in each folder.
Part of the blackmail claim reads:
2. Paying us saves you time, money, effort and you’ll be back on track in about 24 hours. Our decryptor works correctly on any files or systems, so you can check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover yourself, remember that you can permanently lose access to certain files or accidentally corrupt them, in which case we cannot help.
It’s not the hardest thing in the world to recover corrupted files if (and this is important if) your company has followed best practices when it comes to backups, and those backups are easily accessible, and not compromised.
But, of course, as we all know, it is still often the case that adequate backup systems are not in place, or have not been properly tested to see if they will function properly if emergency data recovery is required.
And this is where a tool like the new free Akira decryptor from Avast comes in handy.
In order to crack the ransomware password, Avast’s tool asks for a sample Akira encrypted file and a copy of the data file before it was hit by the ransomware attack.
The tool emphasizes that it is “very important” to choose a pair of files as large as possible, and exactly the same size. Although the process of cracking the password “usually only takes a few seconds”, the researchers warn that it does require a large amount of memory, and that for this reason they recommend using the 64-bit version of the decryption tool.
Currently Avast’s tool only works on Windows, but the company says it is working on a specific version that will also run on Linux. Meanwhile, the Windows version of Avast’s decryptor can be used to open files encrypted by the Linux version of the Akira ransomware, as well as its Windows counterpart.
Avast researchers aren’t sharing any details about how they managed to find a way to decrypt files corrupted by the Akira ransomware, and for good reason. Chances are the team behind the Akira attacks will be frantically trying to determine where the weakness in their code might be, and will be working on a new version of the Akira ransomware that cannot be easily neutralized.
Unfortunately, even if you manage to recover your data after an Akira ransomware attack, it’s not necessarily the end of your headaches. This is because the cybercriminals are behind the security breach stolen your data, and threaten to sell it on the dark web and publish it on their leak site to make the difficulties worse for your company, its partners and its customers.
A ransomware decryptor is definitely a great tool to have in your back pocket. But it’s even better to stop a ransomware attack in the first place.
Follow our advice on protecting organizations from ransomware attacks, including the following recommendations:
- Make secure off-site backups.
- Run up-to-date security solutions and ensure your computers are protected with the latest security patches against vulnerabilities.
- Limit an attacker’s ability to spread laterally through your organization through network segmentation.
- Use unique, hard-to-crack passwords to protect sensitive data and accounts, as well as enable multi-factor authentication.
- Encrypt sensitive data wherever possible.
- Reduce the attack surface by disabling functionality your company doesn’t need.
- Educate and inform staff about the risks and methods cybercriminals use to launch attacks and steal data.
Editor’s note: The views expressed in this guest article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
