Fake Ransomware decryption tools: The rabbit hole



During the past month or so, following the announcement of our Akira ransomware decryption service, we have been responding to Akira incidents around the world. Recently, a victim organisation contacted us for help, but their story was quite unusual compared to the other victims we have been assisting.

As it turned out, they had indeed been hit by the Akira ransomware but in addition to this, they shared a decryption tool with us and told us that they had contacted some "Decryption Experts" and paid for this tool upfront. As their Akira incident was recent and the decryption tool that they shared with us was not made by Avast, we immediately knew that something suspicious was going on. 

As a recap: Legitimate decryption tools released to the public can help with older variants of Akira, that had a much more simple encryption scheme. The current variant of Akira uses up to 8 encryption keys per file, as well as two different encryption schemes, which makes it unfeasible to release a standalone decryption tool. This is why we offer the decryption as a paid service (paid after successful decryption), since it takes considerable amounts of computing power and manual binary analysis performed by our experts.

We decided to take a closer look at the tool they shared to see what they had paid for. What we uncovered was a widespread campaign of new fake ransomware decryptors, being actively advertised via Youtube channels, tailor made websites and reddit.

This post may get a bit technical at some points.

Fake decryptor analysis

The fake akira decryptor tool (SHA1: c66c5f0e7876a53c1af4da241d6248c05ff9dc4b) comes to us from the future in the form of a .NET executable with a modified compiler timestamp of "22/11/2080 7.08.52".

Fake Akira decryptor user interface

Supposedly, all the victim has to do is to input their unique Login ID/Chat ID that is found in the Akira ransomware note. Behind the scenes, the Login ID is checked to see if matches a hardcoded value. Our hypothesis is that this hardcoded value is the actual victim Login ID that the victim has passed on to the actors behind this campaign. The actors then compile a new executable for each victim, with their ID hardcoded into the program.

DnSpy analysis

By loading the executable into dnSpy, an open source .NET debugger and assembly editor, we can take a look at what the code is doing. To save us some effort, the actors have chosen not to obfuscate their code and static analysis is a breeze. Immediately after loading the binary into dnSpy, looking at the embedded resources, we spotted an additional logo image referring to a "universal decryptor". We will circle back on this discovery after analyzing the "Decryption" part of the code.

Akira Decryption.exe resources

Looking inside the EncryptDecryptFiles class, we find the Decrypt() function. The function starts by comparing the user submitted login ID to a hardcoded value as previously mentioned. If the value matches, the function goes through each file present defined in the current path (C:\\) and looks for files that contain the string "akiraa" in their name. 
We are not sure if this typo is intentional or if it is simply an error on the actors part, because on a machine with an Akira infection, the encrypted files have an ".akira" suffix. Because of this, the check fails on every file and an error message is shown to the victim: "Your personal ID is expired by Hackers. Please update!" Of note: By design (logic error or intentional), even if the program would find ".akiraa" files and overwrite them, it would still display the same error message to the victim.

Decrypt function

Interestingly, the executable also contains an Encrypt function, which is never called in the binaries that we found. Our hypothesis is that this function is called in the variants that the actors use to first encrypt files in order to show that the decryption is working in their demo videos. This is further supported by the presence and usage of actual cryptography functions via the System.Security.Cryptography .NET API.

Cryptography API usage

Pivoting on resources

To circle back on the universal decryptor image that was present in the resources, we found two interesting artifacts to further pivot on and look for related binaries. The first artifact was the Akira decryption image displayed in the tool, named "tumblr_252fa...". Searching for this string in Virustotal showed 3 similar binaries. One supposedly for lockbit decryption, one for djvu and one for phobos ransomware.

Virustotal search for the resource name

These 3 binaries are also .NET executables and a quick analysis reveals that they are identical in function to the Akira decryption binary. Below is a comparison of the Akira decryption binary and one of the newly found binaries. The Decrypt function (and other functions) are identical, except for the hardcoded Chat ID that the victim provides to the actors.

Comparing the two binaries in dnSpy

The second artifact is the presence of the "universal decryptor" image in the resources. Searching for universal decryptor in google, we came across a website "universaldecryptor.net". This website promises guaranteed recovery of files for stop/djvu ransomware victims in exchange for an undisclosed amount of Tether (USDT) or Bitcoin cryptocurrency. 
The page is filled with seemingly fake reviews and testimonials along with a FAQ section to reassure victims of the legitimacy of the operation. Victims are instructed to contact the actors via whatsapp, telegram or email, most likely to carry out the payment of cryptocurrency and receive the fake decryption tool.

universaldecryptor website

The page also contains an embedded Youtube video, allegedly showing the tool working and decrypting files. Searching on Youtube for "ransomware decryption" leads to multiple channels and several hundreds of videos advertising the successful decryption of any number of ransomware variants. ( lockbit, akira, djvu, phobos etc.).

These videos and their descriptions containing links lead us to the akiradecryption[.]org website. Looking awfully familiar. Any doubt that these websites and programs are not connected, should be gone by this point. The client that reached out to us originally also confirmed that this is indeed where they received the akira decryption executable from.

akiradecryption website

Looking at the list of Youtube channels we found during analysis reveals that on some channels, the campaigns have been active for at least 2 years. All channels follow a similar pattern of releasing "proof of concept" videos for whatever ransomware strain, with the video showing how the tool supposedly decrypts files.

one channel with multiple videos for different ransomware


The uncovered campaign is yet another example of criminals trying to exploit desperate victims for financial gain. It should go without saying, but in the event of a ransomware attack your first point of contact should be your local law enforcement agency, followed by actual incident response experts and legitimate security vendors. (not a website that requests USDT, Bitcoin or any other cryptocurrency as payment for their services).

In addition to this, the importance of backups (and actually verifying that you can restore from said backups) can not be overstated. 

We have notified the relevant parties to get these channels, websites and user accounts taken down.

If you got this far, thank you for reading the post and stay safe. If you have any questions or need assistance with Akira recovery or anything else, don't hesitate to reach out to us at support@fitsec.com.

Eerik Reis, Toni Koivunen & The Fitsec APT research team

Indicators of Compromise



Youtube channels:


File hashes (fake decryption binaries):


No comments:

Post a Comment