Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Free Decryptor Released for Black Basta Ransomware

A vulnerability in Black Basta ransomware’s encryption algorithm allows researchers to create a free decryptor.

Hacking research collective and consulting think tank SRLabs has released a decryptor to help Black Basta ransomware victims restore their files for free.

Active since at least April 2022, Black Basta has become one of the most prolific ransomware families, being responsible for more than 300 successful attacks to date and estimated to have received over $100 million in ransom payments.

Believed to be linked to the infamous Conti group, Black Basta has claimed responsibility for multiple high-profile intrusions, such as ABB, Capita, Maple Leaf Foods, Rheinmetall, and Thales, stealing victims’ data and threatening to release it publicly unless a ransom was paid.

Last week, SRLabs announced that they found a weakness in the encryption algorithm used by the Black Basta ransomware, where the ChaCha keystream used to XOR 64-byte chunks of the target file was not advanced properly, resulting in the same 64 bytes being used to XOR all blocks to be encrypted.

By analyzing this pattern, the company was able to recover the 64-byte key required for decryption and to create a free decrypting tool that can help victims recover at least some of their files.

However, because the encryption process is performed properly for the first 5,000 bytes of a file, those bytes cannot be recovered.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” SRLabs explains.

The think tank has created tools to analyze the encrypted files and determine if decryption is possible, and explains that the process depends on knowing “the plaintext of 64 encrypted bytes of the file”.

Advertisement. Scroll to continue reading.

For files that were encrypted multiple times, a manual review may be required for restoration. For certain files, such as virtual machine disk images, “knowing 64 bytes of the plaintext in the right position is feasible,” meaning that successful decryption is more likely.

“Virtual disk images, however, have a high chance of being recovered, because the actual partitions and their file systems tend to start later. So the ransomware destroyed the MBR or GPT partition table, but tools such as ‘testdisk’ can often recover or re-generate those,” SRLabs notes.

The free decryptor can reportedly be used only for files encrypted before Christmas 2023, as the Black Basta developers appear to have fixed the vulnerability in their algorithm.

Related: US Gov Disrupts BlackCat Ransomware Operation; FBI Releases Decryption Tool

Related: Free Decryptor Available for ‘Key Group’ Ransomware

Related: Free Decryptors Released for BianLian, MegaCortex Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.