Decrypting Akira Ransomware with Brute-Force in 2025

Security researcher Yohanes Nugroho has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free.

Nugroho developed the decryptor after being asked for help from a friend, deeming the encrypted system solvable within a week based on how Akira generates encryption keys using timestamps.

The project ended up taking three weeks due to unforeseen complexities, and the researcher spent $1,200 on GPU resources to crack the encryption key, but eventually, he succeeded.

Download: https://github.com/yohanes/akira-bruteforce

Using GPUs to Brute Force Keys

Nugroho’s decryptor does not work like a traditional decryption tool where users supply a key to unlock their files.

Instead, it brute-forces encryption keys (unique for each file) by exploiting the fact that the Akira encryptor generates its encryption keys based on the current time (in nanoseconds) as a seed.

An encryption seed is data used with cryptographic functions to generate strong, unpredictable encryption keys. Since the seed influences the key generation, keeping it secret is critical to prevent attackers from recreating encryption or decryption keys through brute force or other cryptographic attacks.

Akira ransomware dynamically generates unique encryption keys for each file using four different timestamp seeds with nanosecond precision and hashes through 1,500 rounds of SHA-256.

These keys are encrypted with RSA-4096 and appended at the end of each encrypted file, making decryption difficult without the private key.

The level of timing precision in the timestamps creates over a billion possible values per second, making it challenging to brute force the keys.

Additionally, Akira ransomware on Linux encrypts multiple files simultaneously using multi-threading, making it difficult to determine the exact timestamp used and adding further complexity.

The researcher narrowed down the possible timestamps to brute-force by analyzing log files shared by his friend. This allowed him to determine when the ransomware was executed, examine file metadata to estimate encryption completion times, and produce encryption benchmarks on different hardware to create predictable profiles.

Initial attempts using an RTX 3060 were too slow, processing only 60 million encryption tests per second. Upgrading to an RTX 3090 provided little improvement.

Eventually, the researcher turned to cloud GPU services such as RunPod and Vast.ai, which offered sufficient computing power at a reasonable cost.

Using sixteen RTX 4090 GPUs, he successfully brute-forced the decryption key in approximately 10 hours. However, depending on the number of encrypted files, the process may take a couple of days.

The researcher noted that GPU experts could further optimize his code to improve performance.

Nugroho has made the decryptor available on GitHub, with instructions on how to recover Akira-encrypted files.

As always, when attempting to decrypt files, make a backup of the original encrypted files, as there is a risk of corruption if the wrong decryption key is used.

Note: The public decryptor is available for everyone. We do not guarantee that this free decryptor will work for all variants.