Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Free Decryptor Released for BlackByte Ransomware

Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.

Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.

BlackByte uses a raw key and the Advanced Encryption Standard (AES) to encrypt a victim’s files, meaning that anyone in the possession of the raw key would be able to decrypt the data.

The ransomware fetches a .PNG file that contains multiple keys, which Trustwave researchers used to create the decryptor. The free tool is available on GitHub.

Analysis of the malware also revealed that it avoids infecting systems with Russian and ex-USSR languages, that it has worm-like capabilities, and it crashes if the encryption key download fails.

BlackByte was observed preparing the target system before starting the encryption, to make sure that the process isn’t interrupted. It also checks the system language to make sure it doesn’t hit victims in specific geographies.

The malware ensures that the system won’t go to sleep during encryption, and then removes specific applications that can prevent encryption. It also kills processes that might interfere with the operation and, if it finds the Raccine anti-ransomware utility, it uninstalls it from the system.

Furthermore, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, enables the SMB1 protocol, and grants full access to target drives to anyone.

The malware is also able to enumerate hostnames in the domain from Active Directory, pings the identified ones to ensure they are alive, and then attempts to copy and execute itself on the hosts, Trustwave says.

Advertisement. Scroll to continue reading.

The ransom note dropped by the malware suggests that the attackers have also stolen data from the victim, but the researchers determined that it does not have any exfiltration functionality. “So this claim is probably designed to scare their victims into complying,” the researchers explain.

Related: Attackers Encrypt VMware ESXi Server With Python Ransomware

Related: Israeli Hospital Targeted in Ransomware Attack

Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.