Note: Someone commented on the “limited shelf-life” of ransomware and why this doesn’t hurt other victims. They deleted their comment but I’m posting my response.
You are incorrect. What is limited is the number of attacks that can be used for victims to recover their files. If you think the author is the only person that was using this attack to recover files, you are incorrect again. I’d recommend checking out book The Ransomware Hunting Team. It’s interesting book about what happens behind the scene for helping victims recover their files.
BestHackerOnHN 3 hours ago [-]
[dead]
bawolff 3 hours ago [-]
Anyone know why they are using timestamps instead of /dev/random?
Dont get me wrong,im glad they don't, its just kind of surprising as it seems like such a rookie mistake. Is there something i'm missing here or is it more a caseof people who know what they are doing don't chose a life of crime?
0cf8612b2e1e 1 hours ago [-]
Even if the attackers used a fully broken since 1980s encryption-how many organizations have the expertise to dissect it?
I assume that threat detection maintains a big fingerprint databases of tools associated with malware. Rolling your own tooling, rather than importing a known library, gives one less heuristic to trip detection.
Charitable, use of system level randomness primitives can be audited by antivirus/EDR.
__alexander 2 hours ago [-]
Rolling your own crypto is still a thing.
mschuster91 2 hours ago [-]
If it works (reasonably) it works, and it throws wrenches into the gears of security researchers when the code isn't the usual, immediately recognizable S boxes and other patterns or library calls.
2 hours ago [-]
throwaway48476 2 hours ago [-]
Ransomware would be less of a problem if applications were sandboxed by default.
XorNot 2 minutes ago [-]
Sandboxed how? Applications generally are used to edit files, and those are the valuable files to a user.
Ransomeware wouldn't be a problem at all if copy-on-write snapshotting filesystems were the default.
gblargg 1 hours ago [-]
Or if people backed up more often.
fragmede 5 hours ago [-]
> I expect [the attackers] will change their encryption again after I publish this.
If they realize that, why publish this? Seems irresponsible at best to give a decryptor in such gory detail for what, Internet cred? It's an interesting read, and my intellectual curiosity is piqued, it just seems keeping the details to yourself would be better for the community at-large.
> Everytime I wrote something about ransomware (in my Indonesian blog), many people will ask for ransomware help.
...
> Just checking if the ransomware is recoverable or not may take several hours with a lot of efforts (e.g: if the malware is obfuscated/protected). So please don’t ask me to do that for free
So charge them for it?
martinsnow 5 hours ago [-]
Why don't you do the legwork instead of asking rhetorical questions?
charcircuit 4 hours ago [-]
Legwork of what? Companies already have done the legwork to make it easy for strangers to send you money.
technion 3 hours ago [-]
Companies that "do the legwork" of decrypting ransomware for the most part just pay the ransom on your behalf.
tsujamin 3 hours ago [-]
Presuming this results in a cryptosystem change for Akira, there’s a real number of victims who won’t get their data back as a result of this disclosure.
Whether the number is more than that of victims to date who can recreate this? Who knows
bawolff 3 hours ago [-]
How would they get their data back if someone theoretically knows how to decrypt but never tells anyone.
not2b 3 hours ago [-]
It was already disclosed to the bad guys that someone managed to break their encryption, when they didn't get paid and they saw that the customer had somehow managed to recover their data. That probably meant they might go looking for weaknesses, or modify their encryption, even without this note.
Other victims whose data were encrypted by the same malware (before any updates) could benefit from this disclosure to try to recover their data.
cannonpalms 2 hours ago [-]
> why publish this?
New versions of Akira and any other ransomware are constantly being developed. This code is specific to a certain version of the malware.
As noted in the article, it also requires:
1. An extremely capable sysadmin
2. A bunch of GPU capacity
3. That the timestamps be brute-forced separately
So it's not exactly a turn-key defeat of Akira.
4 hours ago [-]
dylan604 5 hours ago [-]
once your files are encrypted by ransomware, does the encryption change if the malware gets updated? if not, then anyone currently infected with this version can now possibly recover.
if they don't release their code, then what's the point of having the code? they accomplished their task, and now here you go for someone else that might have the same need. otherwise, don't get infected by a new version
IncreasePosts 4 hours ago [-]
How would it be better, unless it's widely known to be breakable? And at that point, wouldn't the hackers know that too?
You are incorrect. What is limited is the number of attacks that can be used for victims to recover their files. If you think the author is the only person that was using this attack to recover files, you are incorrect again. I’d recommend checking out book The Ransomware Hunting Team. It’s interesting book about what happens behind the scene for helping victims recover their files.
Dont get me wrong,im glad they don't, its just kind of surprising as it seems like such a rookie mistake. Is there something i'm missing here or is it more a caseof people who know what they are doing don't chose a life of crime?
I assume that threat detection maintains a big fingerprint databases of tools associated with malware. Rolling your own tooling, rather than importing a known library, gives one less heuristic to trip detection.
Ransomeware wouldn't be a problem at all if copy-on-write snapshotting filesystems were the default.
If they realize that, why publish this? Seems irresponsible at best to give a decryptor in such gory detail for what, Internet cred? It's an interesting read, and my intellectual curiosity is piqued, it just seems keeping the details to yourself would be better for the community at-large.
> Everytime I wrote something about ransomware (in my Indonesian blog), many people will ask for ransomware help. ... > Just checking if the ransomware is recoverable or not may take several hours with a lot of efforts (e.g: if the malware is obfuscated/protected). So please don’t ask me to do that for free
So charge them for it?
Whether the number is more than that of victims to date who can recreate this? Who knows
Other victims whose data were encrypted by the same malware (before any updates) could benefit from this disclosure to try to recover their data.
New versions of Akira and any other ransomware are constantly being developed. This code is specific to a certain version of the malware.
As noted in the article, it also requires:
1. An extremely capable sysadmin 2. A bunch of GPU capacity 3. That the timestamps be brute-forced separately
So it's not exactly a turn-key defeat of Akira.
if they don't release their code, then what's the point of having the code? they accomplished their task, and now here you go for someone else that might have the same need. otherwise, don't get infected by a new version