Image: Tinyhack
If your system becomes infected by ransomware, recovering your data is virtually impossible unless you concede to the hacker’s demands and pay the ransom for the decryption key—though these ransom amounts are typically exorbitant.
Ransomware encrypts data by capturing portions of the files as seeds for encryption, rendering the recovery task highly challenging. Recently, cybersecurity researcher TinyHack shared an insightful experience, detailing how they successfully decrypted data on a Linux/VMware ESXi system compromised by the Akira ransomware variant. Leveraging vulnerabilities and brute-force techniques, TinyHack spent approximately 16 days achieving data recovery.
Admittedly, certain fortunate circumstances played a role here, as the specific variant of Akira ransomware infecting the client’s systems contained exploitable flaws. However, the brute-force process involved calculating an enormous number of offset values—approximately 4.5 quadrillion pairs. Even on a system capable of 50 million encryptions per second, brute-forcing through all potential combinations would ordinarily require hundreds of days.
Utilizing additional GPUs significantly accelerated the process. For instance, with a GPU capable of performing 1.5 billion KCipher2 encryption operations per second, checking one billion values at a single offset took roughly 0.7 seconds, including verification time, allowing for a maximum of 32 simultaneous matches per batch. Testing two million offsets with a single GPU thus took around 16 days; with 16 RTX 4090 GPUs, the same task could theoretically be completed in approximately 10 hours.
Directly purchasing RTX 4090 GPUs solely for brute-force decryption proved prohibitively costly, prompting the client initially to consider renting GPU resources from Google Cloud for a month—an approach estimated to cost tens of thousands of dollars.
Ultimately, TinyHack successfully decrypted the client’s heavily compromised VMDK disks, fully restoring the Linux/VMware ESXi environment.
Those interested can click here to read the article.
Related Posts:
- Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
- Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
- Akira Ransomware: The New Threat Targeting Windows & Linux
- Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS
- Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
