WIndows Server Encrypted by Akira Ransomware | Need Help with Akira Decryption

[draspain]

Hello, I am sorry to post this here. I am trying to post on public forums for help. I am doctor by profession and recently my server got infected by a virus known as Akira ransomware. All files are ending with .akira extension. I am unable to access anything and seemed to be corrupted. The data is really important for me as it contains important research papers and my patient's history.
Note: I have already tested public decryptors like Avast Akira Decryptor. It did not work

 

[ChatGPT]

Hi — I’m sorry this happened. I know those files are important. Below is a short, practical plan you can follow right away, what to expect, and what I need from you to help further.
Summary (short)

• Akira (.akira) is ransomware; if files were encrypted with a strong public-key scheme there may be no free way to recover them unless a researcher or the operator provides a key. Independent responders and government guidance strongly recommend preserving evidence, isolating systems, and reporting, and warn that paying is risky.

Immediate do / don’t (first 10–30 minutes)

1. DO isolate the infected server from the network (unplug network cable / disable NIC). This limits lateral spread.
2. DO NOT power‑cycle or run random “fix” tools on the disk if you plan to preserve evidence — if you can, make a forensic image of the drives (see next). Volatile data (RAM) can contain useful keys — if you will engage a responder, capture memory first.
3. DO NOT repeatedly run decryptors or “repair” tools on originals — always work from images/copies so you don’t damage the only remaining evidence or overwrite possible forensic artifacts.

Why recovery may be hard

• Modern ransomware typically uses asymmetric crypto (attacker keeps private key) and often deletes Volume Shadow Copies and other recovery artifacts, so local file recovery is commonly blocked unless a backup or a decryptor exists.

Step‑by‑step recommended actions

1. Stop any further spread
   • Immediately disconnect the server from networks and disable any shares or backups that are still reachable.
2. Preserve evidence (important if you will engage responders or law enforcement)
   • If you can, create full disk images of the server (an investigator can do this with tools like FTK Imager, dd, or similar). Do not attempt file recovery on the live disk. Capture RAM if possible (Live RAM capture tools exist; this is time‑sensitive). These images allow later analysis while keeping originals untouched.
3. Identify the ransomware
   • Copy the ransom note text and take screenshots, and save one encrypted sample file (a small file is fine). The ransom note, file extension, sample file header/hashes help identify the family and whether a public decryptor exists. Researchers and tools often need these artifacts to tell you if decryption is possible.
4. Check backups and offline copies
   • Find the most recent offline/offsite backup (air‑gapped or immutable backups). Restoring from a clean backup is the safest recovery path. Government guidance repeatedly emphasizes offline backups as the primary recovery option.
5. Check for local recovery options (carefully)
   • You or an IR team can check for Volume Shadow Copies (vssadmin list shadows) but many ransomware strains delete them; don’t run destructive commands and do this only from copies or images.
6. Try official / reputable decryptor resources only after identification
   • If identification shows a known variant with a published decryptor, use only the official vendor/tool instructions and operate on images/copies. I note you already tried the Avast Akira decryptor and it failed — that’s useful info: it could mean this variant is not supported or the files are partially corrupted.
7. Report / get professional help
   • Report the incident to law enforcement and your cyber‑insurance / legal/compliance teams. For U.S. victims, agencies (FBI/CISA) recommend reporting ransomware incidents and may provide guidance; they also recommend not paying as the first option and to preserve artifacts for investigation.
   • Consider engaging a reputable incident response (IR) firm or a specialized data‑recovery company experienced with ransomware — in many cases they can advise on containment, whether decryption is realistic, and help restore from backups or attempt forensic recovery. Forum experience shows recovery without backups or a known decryptor is often not possible.

What I need from you to help further

1. Tell me:
   • Server OS and role (Windows Server version, domain controller or file server?), physical/virtual (ESXi VM?), and whether other machines were affected.
   • Whether you have offline/offsite backups and where they are stored.
   • Whether you have cyber‑insurance and an IR contact.
2. Attach (or paste) these small items (do NOT attach patient PHI — redact any private data):
   • The ransom note text (or a clear photo/screenshot).
   • One small encrypted sample file (a single file with the .akira extension). If the forum won’t accept it, say so and I’ll tell you how to share privately or to an IR team.
   • The exact filename(s) and a sample file hash (SHA256) if you can get it.

I will then:

• Help identify the ransomware family (from the ransom note + sample) and tell you whether any known decryptors exist. Identification is the critical next step — many responses depend on that.
• Walk you through safe imaging and evidence collection steps (commands and tools) or outline what to give to an IR firm.
• Recommend next steps based on what we find (restore from backup, decryptor use, or IR engagement).

Important cautions

• If the server holds patient health information, notify your organization’s compliance/legal team and consider HIPAA breach procedures — patient data requires careful handling. Also avoid posting any patient data publicly.
• Paying ransom is not a guaranteed solution and is discouraged by authorities; it also has legal and ethical implications. Report and consult law enforcement before making any payment decision.

If you want, we can start now:

• Paste the ransom note text and tell me the Windows Server version, and confirm whether you can upload one small encrypted sample file (redacted of PHI). I’ll help with the next safe steps and identification.

 

[ChatGPT]

Thanks — I can help. Before we proceed: please do NOT open or try to decrypt any encrypted files on the server, and keep the server offline until you’ve made a copy/image. That preserves evidence and keeps the situation from getting worse.
What I need you to share (safe, minimal artifacts)
1) The ransom note text (copy/paste into your reply; redact any patient names or PHI).
2) One small encrypted sample file (a single file with the .akira extension) — do NOT open it. A single small file (≤5 MB if possible) is enough.
3) The server basics: Windows Server version (e.g., Windows Server 2016 / 2019 / 2022), whether it’s physical or a VM (ESXi/Azure), whether it’s a domain controller or file server, and when the infection started.
If you can attach the above to this thread, do that now. If the forum blocks the attachment, follow the alternate instructions below.
How to prepare that sample safely (step‑by‑step)

1. Work from a copy — do not work on the original disk. If possible, shut down the server and attach the drive to another machine to copy the sample. If you cannot, at minimum copy the one encrypted file to a clean removable drive after disconnecting the server from the network. (If you have access to a forensics or IR team, ask them to make a bit-for-bit image instead.)
2. Do not open the file. Just copy it.
3. Compute a SHA256 hash for the sample and paste it here so we can reference the exact file. On Windows (PowerShell) run:
   • Get-FileHash -Algorithm SHA256 "C:\path\to\samplefilename.akira"
     Or using certutil:
   • certutil -hashfile "C:\path\to\samplefilename.akira" SHA256
4. Copy the ransom note text exactly (or take a clear screenshot). The note plus the .akira extension are the key things that let us identify the variant and whether known decryptors exist. You already tried Avast’s Akira decryptor — that’s useful to know; sometimes decryptors fail because the variant changed or files are damaged.

If forum attachment fails (alternate ways to give me useful info)

• Paste the ransom note text directly in a reply (redact PHI).
• Paste the SHA256 hash from Get-FileHash.
• Paste the first 128 bytes of the file in hex (PowerShell):
  • Format-Hex -Path "C:\path\file.akira" -Count 128
    Copy/paste the output here (this helps identify file header/format without transferring the whole file).

Why these items matter

• The ransom note and a single sample let us identify the family/variant; that determines whether a public decryptor exists or whether you need professional IR. Modern ransomware commonly uses asymmetric keys — recovery without a key or a backup is often not possible. That’s why quick identification + imaging is the practical first step. fileciteturn1file9turn1file18

Short checklist while you prepare the file

• Keep the infected server offline.
• Don’t run more decryptors on the original files. Work on copies only.
• If patient data is present, notify your compliance/legal team (HIPAA). Consider contacting law enforcement and your cyber‑insurance/IR vendor early.

If you prefer, I can walk you step‑by‑step (commands and screenshots) for any of the actions above — tell me whether you’re working on the server directly and what Windows Server version it is, and whether you can upload a single .akira sample and the ransom note now.

 

[draspain]

unable to upload note here

 

[ChatGPT]

Thanks — that helps. I tried to find the ransom note / file you mentioned but I can’t see any uploaded attachments here. (If you tried to attach and it failed, that’s why.) Before we continue, please do not open or run any of the encrypted files on the server and keep the machine offline if possible.
Two quick options — pick whichever you can do now
Option A — paste the ransom note text here (fast, easiest)

• Copy the ransom note text (open it in Notepad on a safe machine) and paste the full text into a reply. Redact any patient names or PHI before pasting. The note text is the single most useful item for identifying the variant.

Option B — attach a single encrypted sample file (if you can upload)

• Choose one small encrypted file (≤5 MB). Do NOT open it. Make a copy and upload that copy here. Redact any filenames containing patient identifiers first.

If the forum rejects attachments, or you prefer not to upload, do this instead and paste the results here:
1) Copy one sample file safely (do this from an offline machine / from a disk image if possible)

• If you can shut down the infected server and mount the data drive on another clean machine, do that and copy a single sample to a USB drive.
• If you must copy while the server is live, disconnect network first, then copy only one file to removable media.

2) Compute the SHA256 hash (so I know we’re looking at the same file)

• Open PowerShell (Admin) and run:
  Get-FileHash -Algorithm SHA256 "C:\path\to\samplefilename.akira"
• Paste the SHA256 output here.

3) Paste the first 128 bytes in hex (this helps identify the file without sending the entire file)

• In PowerShell run:
  Format-Hex -Path "C:\path\to\samplefilename.akira" -Count 128
• Copy/paste the output into your reply.

Commands to safely copy a file (PowerShell, run as Admin)

• Copy-Item -Path "C:\path\to\file.akira" -Destination "E:\sample.akira"

If you want me to help capture more forensics (recommended), I can walk you through:

• Making a full bit-for-bit disk image (FTK Imager or dd), and
• Capturing live RAM (winpmem / FTK Imager memory capture). These steps require care — I can provide exact commands and a checklist if you want to involve an IR team or law enforcement. Evidence preservation is important if you report to authorities.

What I’ll do after you paste the note + sample info

• Identify the ransomware family/variant (many variants are identifiable from the note + file header).
• Tell you whether a known decryptor exists or if the variant is currently unsupported.
• Give safe, step‑by‑step next actions (image the drive, try decryptors on copies only, or engage an IR/data‑recovery firm).

Immediate safety checklist (repeat)

• Keep the server offline and isolated.
• Do not run more decryptor attempts on the original files — always run them on copies.
• If patient records are present, notify your compliance/legal team and consider contacting law enforcement and your cyber‑insurer/IR provider early.

If you want, paste the ransom note text now (redacted) and the SHA256 or Format-Hex output for a single .akira sample — I’ll start identifying the variant right away and tell you whether further recovery is realistic.

 

[ChatGPT]

Thanks — this ransom note confirms you’re dealing with an active extortion attempt (they claim to have exfiltrated data and demand contact over Tor). Don’t panic — we can triage this safely, but please follow the steps below exactly. I’m going to be direct and practical so you can act now.
Short summary (what it means)

• The note is a standard ransomware extortion message: attackers claim they copied data, threaten publication, and offer a Tor portal and a code for negotiation. That raises the urgency to preserve evidence and notify the right parties (legal, compliance, law enforcement, insurer/IR). Government guidance emphasizes reporting and preserving artifacts in cases like this.
• Many modern ransomware families use strong public-key crypto and delete recovery artifacts (Volume Shadow Copies, event logs) — that makes recovery without backups or the attacker’s private key very difficult. Don’t assume decryptors will work. fileciteturn3file8turn3file9

Do this now (immediate, ordered actions — do NOT skip)

1. Isolate the server NOW
   • Unplug the network cable and disable any Wi‑Fi/VM network interfaces. Keep the machine powered on (do NOT reboot) if you will capture live memory. If you must shut down, make a note of the time and how you did it. Isolation limits lateral spread and prevents further exfiltration.
2. Notify internal stakeholders
   • Immediately inform your legal/compliance officer (HIPAA implications), your cyber‑insurance contact (if you have one), and your IT lead. Do NOT correspond with the attacker directly yet—contact law enforcement for guidance first.
3. Preserve evidence (critical)
   • Do NOT rename, replace, or delete .akira/.arika files (the ransom note already told you not to — follow that).
   • If possible, hire an IR firm or forensic lab now. If you cannot, at minimum make a bit-for-bit image of the affected disks and capture RAM (live memory) before doing anything else. These artifacts are helpful for investigators and may contain keys or indicators. CISA/FBI guidance explicitly recommends preserving images, memory, ransom note, and logs.
4. Do NOT pay or try random fixes on originals
   • Authorities (FBI/CISA) warn that paying is risky and not guaranteed to recover files; also avoid attempting more decryptor runs on original files — always work on copies. fileciteturn3file10turn3file16

What I need from you next (so I can help identify the variant / feasibility)
Please provide the following (redact any patient-identifying data before posting publicly):
A — Environment details

• Windows Server version (e.g., Server 2016 / 2019 / 2022), physical or VM (ESXi/Azure), role (file server, domain controller?), and whether other machines were affected.

B — Backup status

• Do you have offline (air‑gapped / immutable) backups? Location and last backup date.

C — Artifacts I can use to identify the ransomware (safe ways)

• The ransom note text (you already pasted it — good).
• One small encrypted sample file (≤5 MB) copied from the infected disk to a removable drive — do NOT open it. If you cannot upload the file to this forum, do at least the hash + header below and paste them here.

If you cannot upload the sample, run these commands on a clean machine after copying the file (PowerShell, run as Administrator):
1) Compute SHA256 (paste the output here):
Get-FileHash -Algorithm SHA256 "E:\sample.akira"
2) Paste the first 128 bytes in hex (helps identify file header without sending the whole file):
Format-Hex -Path "E:\sample.akira" -Count 128
(If you can attach the whole sample to the forum or a secure transfer channel to an IR firm, do so — but do not open it.)
How to copy safely (if you’re doing it yourself)

• Shutdown the server if you are not going to capture memory. Remove the data drive and attach it to a clean workstation or use a forensic image tool (FTK Imager, dd) to make an image. Copy only one encrypted sample from the image to a clean USB. Use Copy-Item in PowerShell or robocopy if preserving timestamps is important:
  Copy-Item -Path "D:\path\to\file.akira" -Destination "E:\sample.akira"

If you can capture memory (recommended before powering down)

• Use a known tool (e.g., winpmem / FTK Imager memory capture) — this is time‑sensitive and best done by an IR professional.

What I (and others) will do with the sample

• Identify ransomware family/variant from ransom note + file header/hash. Many variants are identifiable and that determines whether free decryptors exist or whether this is an unsupported variant. If a known weakness exists, a researcher’s decryptor may work; otherwise recovery relies on backups or IR. fileciteturn3file9turn3file8

If you don’t have backups / you’re asked about paying

• Report to law enforcement (local FBI field office or IC3) and CISA (if in the U.S.) and consult with your legal/cyber‑insurance/IR provider before considering payment. Authorities and advisories discourage payment as the first option. fileciteturn3file16turn3file10

Quick checklist (one‑page)

• [ ] Unplug network (isolate).
• [ ] Notify legal/compliance and cyber‑insurance.
• [ ] Preserve ransom note and screenshots (don’t alter).
• [ ] Make disk image + capture RAM (IR firm recommended).
• [ ] Copy one small encrypted sample and provide SHA256 + Format-Hex output (paste here).
• [ ] Don’t run more decryptors on originals; don’t pay without consulting law enforcement/IR/legal. fileciteturn3file10turn3file16

One more important point about the note you pasted

• The attacker claims they exfiltrated data and will list it on an .onion blog — that means there is possible data breach risk (not just encryption). You should assume the worst for privacy and follow your breach notification procedures immediately (legal/compliance will guide HIPAA/timeframe etc.). Contact law enforcement and your insurer/IR provider right away.

I can help right now

• If you paste the SHA256 and the Format-Hex output (or attach the small sample safely), I’ll attempt to identify the variant and tell you whether known decryptors exist and what the next safe steps are. If you prefer, say “I want IR” and I’ll give you a short list of how to choose a reputable incident response/data recovery firm and what artifacts to send them.

If you’re ready, paste:
1) Windows Server version + role
2) Whether backups exist (yes/no + last date)
3) SHA256 of one .akira sample and/or output of Format-Hex -Path "E:\sample.akira" -Count 128
I’ll take it from there.

 

[draspain]

I am unable to upload file here.

 

[ChatGPT]

Thanks — good job pasting the ransom note. You’ve given exactly the information we need to triage next steps safely. Brief, actionable plan now plus exactly what I need from you next.
Immediate (next 5–20 minutes) — do these in order
1) Isolate the server — unplug network cable / disable all NICs (do this first). This prevents lateral spread and further exfiltration.
2) Don’t reboot if you can avoid it. If you intend to capture RAM (recommended), keep the machine on and call an IR team now — memory is volatile. If you must power off, note the exact time and method.
3) Notify people who must be told immediately: your legal/compliance officer (HIPAA), your cyber‑insurance contact, and your IT lead. Also report to law enforcement (FBI/IC3 if you’re in the U.S.) — CISA/FBI guidance recommends early reporting for ransomware + data exfiltration incidents.
4) Do NOT pay, rename, replace, or delete .akira (or .arika) files, and do NOT run more decryptors on the original files — always work on copies. The note’s instructions not to modify files are consistent with general IR guidance. fileciteturn4file12turn3file16
Why this matters (brief)

• The note states they exfiltrated data and offer a Tor portal; that raises breach / notification urgency (not just encrypted files). Many modern ransomware families use asymmetric crypto and delete recovery artifacts (Volume Shadow Copies, logs), so recovery without backups or attacker cooperation is often impossible. fileciteturn3file9turn4file12

What I need from you now (safe items you can post here — redact PHI)
1) Environment snapshot (paste here): Windows Server version (2016/2019/2022), physical or VM (ESXi/Azure), role (file server / domain controller), whether other machines were affected, and when the incident started.
2) Backup status: Do you have offline/air‑gapped or immutable backups? Last known good backup date.
If you cannot upload files to the forum, do this exact, safe procedure (on a clean machine or from an image — do NOT open the file):
A — Copy one small encrypted sample (safely)

• Shutdown (if not capturing RAM), remove the data drive and attach to a clean workstation OR mount a disk image made with FTK Imager / dd. Copy a single encrypted file (≤5 MB) to clean media. Use PowerShell as Admin:
  • Copy-Item -Path "D:\path\to\file.akira" -Destination "E:\sample.akira"
    (Do not open the file.)

B — Produce two quick text artifacts (paste these into the forum reply)

1. SHA256 hash (one line):
   • PowerShell: Get-FileHash -Algorithm SHA256 "E:\sample.akira"
   • OR: certutil -hashfile "E:\sample.akira" SHA256
2. First 128 bytes in hex (helps identify the file header without sharing whole file):
   • PowerShell: Format-Hex -Path "E:\sample.akira" -Count 128
     Paste the output here.

If you paste the SHA256 and the Format-Hex output I can attempt to identify the ransomware variant from those artifacts. If the variant is known and has a published decryptor, I’ll tell you; if it’s unsupported, I’ll explain the realistic options (restore from backup vs IR / pay is last resort).
If you can attach the small sample here (or provide it to an IR firm), that’s even better — but do not open it. If the forum blocks attachments, the hash + hex header is enough for an initial ID.
Short checklist for evidence to preserve / give to IR or law enforcement

• Disk images of affected systems (bit-for-bit).
• Live memory (RAM) capture (winpmem / FTK Imager) — do BEFORE power off if possible.
• Ransom note and screenshots (don’t alter).
• Event logs, antivirus logs, backup server logs, and timeline of activity (dates/times of first suspicious activity).
• Any phishing emails or attachments that may have delivered the initial payload.

If you don’t have IR or don’t want to pay, I can:

• Walk you step‑by‑step to create a disk image and capture RAM (I’ll give exact FTK Imager / winpmem command steps).
• Try to identify the variant from the SHA256 + Format-Hex you paste here and advise whether published decryptors exist.

A final note about breach / HIPAA

• Because you said patient histories are present, assume a data breach and notify your compliance/legal team immediately — HIPAA has strict requirements and timelines. Also contact your cyber‑insurer and law enforcement right away.

Tell me which you want to do now
A) I’ll paste the SHA256 + Format-Hex output here (I’ll follow your copy steps).
B) I want step‑by‑step imaging + RAM capture commands (I’m doing it myself).
C) I want wording and artifacts list to give to law enforcement / IR / insurer.
D) I want a short checklist to pick a reputable IR firm.
If you choose A, paste the SHA256 line and the Format-Hex output and I’ll start identifying the variant immediately.

 

[draspain]

Download Grant-Carroll Trucept.pdf.akira | LimeWire

Download Grant-Carroll Trucept.pdf.akira on LimeWire

limewire.com

 

[ChatGPT]

Do NOT click or follow that Limewire link — it may be malicious. Thanks for letting me know you can’t upload here. That’s fine — we can still proceed. Below are safe, practical options you can do now and exact commands to produce the two small text artifacts I need (SHA256 + first 128 bytes in hex) so I can try to identify the Akira variant. Also a short reminder of the immediate actions you must keep doing. I’ll stay with you step‑by‑step.
Immediate (keep doing)

• Keep the server isolated (unplug network / disable NICs). Do not rename, delete, or run tools on the .akira files. If you can, don’t reboot — live memory (RAM) is useful to capture.
• Notify your legal/compliance, insurer/IR contact and law enforcement (FBI/IC3 or local) right away because the ransom note claims exfiltration of patient data.

If you cannot attach files here, pick one of these two safe options now
Option A — Easiest: Copy one small encrypted sample and give me its SHA256 + first 128 bytes in hex
(These are safe text outputs — no PHI — and let me identify the ransomware variant without you uploading the whole file.)
1) Make a safe copy of one encrypted file (do this from a disk image or by plugging the data drive into a clean machine). Do NOT open the file.

• In PowerShell (Run as Administrator) on the clean machine:
  • Copy-Item -Path "D:\path\to\file.akira" -Destination "E:\sample.akira"

2) Compute SHA256 (paste the one-line result here)

• PowerShell:
  • Get-FileHash -Algorithm SHA256 "E:\sample.akira"
• or:
  • certutil -hashfile "E:\sample.akira" SHA256

3) Dump first 128 bytes (paste the output here)

• PowerShell:
  • Format-Hex -Path "E:\sample.akira" -Count 128

That’s it — paste both outputs in your next reply and I’ll try to identify the variant and tell you whether known decryptors exist (and next safe steps) from those artifacts. This is what I normally ask when direct upload isn’t possible.
Option B — If you want me to walk you through imaging + (optional) RAM capture

• I can give step‑by‑step FTK Imager / winpmem commands and a short checklist so you or a local tech can create:
  • A bit‑for‑bit disk image (to preserve evidence), and
  • A live memory capture (winpmem) if the server stays powered on.
• This is recommended if patient data / breach risk is involved and you plan to involve law enforcement or an IR firm. Tell me “Do imaging” and I’ll post the exact commands and safe workflow.

If you want immediate help interpreting the Limewire link you posted

• Don’t open it. If that link is supposed to be a file you attempted to share, it’s safer to copy the real encrypted sample to a USB using the steps above rather than visiting the link. The link itself could host malware or be a trap.

What I’ll do when you paste the SHA256 + Format-Hex

• Try to identify the ransomware family/variant from the file header + ransom note you already posted, and tell you whether public decryptors exist or whether the variant appears unsupported. If supported, I’ll give safe instructions (on copies/images) for running the decryptor. If unsupported, I’ll outline realistic options (restore from offline backups, IR/data‑recovery firms, or next investigative steps). fileciteturn5file0turn5file6

Quick checklist before you run the commands

• Do this on a clean machine (attach the drive to a workstation that is not on your main network).
• Copy only one file and do not open it.
• Paste the exact outputs (SHA256 and Format-Hex) here — I’ll take it from there.

Which option do you want?

• Reply “A” and paste the Get-FileHash + Format-Hex outputs.
• Reply “B” to get imaging + RAM capture commands and checklist.

I’ll wait. If you prefer, tell me the Windows Server version + whether you have offline backups now and we’ll prioritize restoration planning while you gather the sample outputs.

 

[draspain]

F65E9B09C5E0A6000FE381DEE1A4B089AFBEC1C9028A8F447B4C52BF2C45F9B6

 

[ChatGPT]

Got the SHA256 — thanks. That confirms you copied a sample hash, which is helpful. I still need the file header (first bytes) to identify the variant. Please do one of the two safe options below so I can continue.
Immediate safety reminder (do this first)

• Keep the server offline (unplug NICs). Do not rename, delete, or run tools on any .akira/.arika files. Preserve the ransom note and screenshots. These steps preserve evidence and limit further damage.

You already posted the SHA256:
F65E9B09C5E0A6000FE381DEE1A4B089AFBEC1C9028A8F447B4C52BF2C45F9B6
What I need next (pick A or B)
A — Fast (best if you cannot upload)
1) Copy one small encrypted file to a clean USB / clean machine (do not open it).
2) On that clean machine run (PowerShell, Admin):

• Get-FileHash -Algorithm SHA256 "E:\sample.akira"
• Format-Hex -Path "E:\sample.akira" -Count 128
  3) Paste both outputs here (the one-line SHA256 and the Format-Hex block). The Format-Hex output (first 128 bytes) lets me identify the file header/variant without you uploading the file.

B — I’ll walk you through imaging + RAM capture (recommended if you plan to involve law enforcement / IR)
Tell me “Do imaging” and I’ll give step‑by‑step FTK Imager / winpmem commands and a safe checklist so you or a local tech can:

• Make a bit‑for‑bit disk image (preserve originals), and
• Capture live memory (winpmem) if the server remains powered on (time‑sensitive). Preserving images and RAM is important for investigators and may help recovery. fileciteturn6file4turn6file11

Don’t click that Limewire/TOR link you posted — it may be malicious. If that was meant to share the sample, don’t use it; copy the sample to a USB as above instead.
What I’ll do after you paste the Format-Hex + SHA256

• Attempt to identify the ransomware family/variant from the header + ransom note you already posted. If it matches a known variant with a public decryptor, I’ll give safe, step‑by‑step instructions to run it (on copies only). If unsupported, I’ll explain realistic recovery options (restore from clean offline backups, engage IR, or other measures). fileciteturn6file14turn6file3

If you need wording to notify legal / law enforcement or a quick checklist to pick an IR firm, say “I want notification wording” or “I want IR checklist” and I’ll post those immediately.
Which option do you want? A (paste SHA256 + Format-Hex) or B (do imaging)?

 

[draspain]

it doesn't match with any public decryptor so far.

 

[ChatGPT]

Okay — thanks for the update. If the Avast Akira decryptor didn’t work that simply means one of these is likely true: the variant you have isn’t supported by that tool, the files were partially corrupted, or the attacker used unique keys. We can still proceed safely — here’s exactly what to do next and how I can help.
Quick diagnosis summary

• Public decryptors fail for many Akira variants; identification needs a file header (first bytes) or an image so researchers can match it to known variants. You’ve already posted the SHA256 (F65E9B09…F9B6) which is helpful, but I still need the first bytes (Format‑Hex output) to try an identification.

What I recommend now (choose one)

• Option 1 — Fast identification (recommended if you can copy one file)
  1) On a clean machine, copy one encrypted file (≤5 MB) to E:\sample.akira. Do NOT open it.
  PowerShell (Admin): Copy-Item -Path "D:\path\to\file.akira" -Destination "E:\sample.akira"
  2) Run these commands and paste both outputs here:
  • Get-FileHash -Algorithm SHA256 "E:\sample.akira" (you already have the SHA256)
  • Format-Hex -Path "E:\sample.akira" -Count 128
    The Format‑Hex output (first 128 bytes) is what I need to identify the variant without you uploading the file.
• Option 2 — Full preservation + IR (recommended if patient data / breach risk)
  • If you plan to involve law enforcement / cyber‑insurer or an IR firm, create bit‑for‑bit disk images and capture live RAM first (winpmem / FTK Imager). Reply “Do imaging” and I’ll give step‑by‑step commands and a safe checklist. Preserving images/RAM is critical for investigators and possible key recovery.

Immediate safety checklist (do these now if not already done)

1. Isolate the server — unplug network or disable NICs. Do NOT reconnect.
2. Do NOT modify/rename/delete .akira/.arika files or run more decryptors on originals. Work on copies only.
3. Notify legal/compliance (HIPAA), your cyber‑insurer, and law enforcement (FBI/IC3 if you’re in the U.S.). The ransom note claims exfiltration — treat this as a breach.

If you can’t run Format‑Hex or prefer IR, say “Do imaging” now and I’ll give exact FTK Imager / winpmem commands and the checklist of artifacts to collect (images, RAM, ransom note, logs, timeline).
If you want wording to report this (HIPAA / law enforcement / insurer)

• I can produce a short, copy‑pasteable notification template for:
  • your compliance/legal team (HIPAA breach notice draft),
  • a law enforcement report to IC3/FBI, and
  • the short summary your cyber‑insurer / IR vendor will need (timeline, affected hosts, backups, samples).
    Say “I want notification wording” and I’ll post them.

If you want help choosing an IR firm (quick checklist)

• Look for: proven ransomware IR experience, references, incident‑response certifications, ability to deliver forensic images & memory capture, written scope & NDA, clear fee structure, and (if relevant) experience with healthcare/HIPAA incidents. I can expand this into a short vendor selection script if you want.

Next step for me

• Paste the Format‑Hex output (and re-post the SHA256 if convenient) OR say “Do imaging” to get imaging + RAM capture commands. Once I have the Format‑Hex, I’ll try to identify the Akira variant and tell you whether any known decryptor exists or what realistic next steps are.

Which do you want to do now — Option 1 (paste Format‑Hex) or Option 2 (“Do imaging”)?