Decryptor publicly released for Akira ransomware used in several high-profile incidents

A cybersecurity firm released a decryptor for the Akira ransomware, providing a way forward for dozens of victims that have dealt with attacks since the gang emerged in March 2023.

Several experts told Recorded Future News that a decryptor for the ransomware had been used quietly among incident responders for months before cybersecurity firm Avast developed and released its version for public download.

The Akira ransomware group has taken credit for several high-profile incidents – including attacks on the government of Nassau Bay in Texas, Bluefield University, a state-owned bank in South Africa and major forex broker London Capital Group.

The decryptor works on the Windows version of the ransomware, and Avast said it is working on a decryptor that would work for the Linux version discovered last month.

“The Linux version of the Akira ransomware works identically like its Windows counterpart. Encrypted files have the same extension and the same encryption schema,” the researchers said, adding that the current decryptor can be used to unlock files encrypted by the Linux variant..

The researchers noted that the Akira ransomware bears several similarities to the Conti ransomware, which they said “may indicate that the malware authors were at least inspired by the leaked Conti sources.”

The files and directories excluded during attacks are the same and several of the encryption features resemble those used by Conti.

Several other security companies have hinted about similarities and ties between the now-defunct Conti ransomware and Akira.

Recorded Future ransomware expert Allan Liska said although Akira has only been around since March, it has already added more than 50 victims to their extortion site, indicating “that they are most likely an experienced group who switched to using a different ransomware strain.”

“The group is most well known for their leak site, which is set up to look like an ‘80s computer terminal (green text against a black background),” he said.

“One other thing that is interesting about them is that in their ransom note they threaten to tell everyone how they got into a victim network for victims that don’t pay.”

The group made waves last week after posting an apology for attacking the state-owned Development Bank of Southern Africa, claiming someone used their ransomware without their permission.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.