Hacking research collective and consulting think tank SRLabs has released a decryptor to help Black Basta ransomware victims restore their files for free.
Active since at least April 2022, Black Basta has become one of the most prolific ransomware families, being responsible for more than 300 successful attacks to date and estimated to have received over $100 million in ransom payments.
Believed to be linked to the infamous Conti group, Black Basta has claimed responsibility for multiple high-profile intrusions, such as ABB, Capita, Maple Leaf Foods, Rheinmetall, and Thales, stealing victims’ data and threatening to release it publicly unless a ransom was paid.
Last week, SRLabs announced that they found a weakness in the encryption algorithm used by the Black Basta ransomware, where the ChaCha keystream used to XOR 64-byte chunks of the target file was not advanced properly, resulting in the same 64 bytes being used to XOR all blocks to be encrypted.
By analyzing this pattern, the company was able to recover the 64-byte key required for decryption and to create a free decrypting tool that can help victims recover at least some of their files.
However, because the encryption process is performed properly for the first 5,000 bytes of a file, those bytes cannot be recovered.
“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” SRLabs explains.
The think tank has created tools to analyze the encrypted files and determine if decryption is possible, and explains that the process depends on knowing “the plaintext of 64 encrypted bytes of the file”.
For files that were encrypted multiple times, a manual review may be required for restoration. For certain files, such as virtual machine disk images, “knowing 64 bytes of the plaintext in the right position is feasible,” meaning that successful decryption is more likely.
“Virtual disk images, however, have a high chance of being recovered, because the actual partitions and their file systems tend to start later. So the ransomware destroyed the MBR or GPT partition table, but tools such as ‘testdisk’ can often recover or re-generate those,” SRLabs notes.
The free decryptor can reportedly be used only for files encrypted before Christmas 2023, as the Black Basta developers appear to have fixed the vulnerability in their algorithm.
Related: US Gov Disrupts BlackCat Ransomware Operation; FBI Releases Decryption Tool
Related: Free Decryptor Available for ‘Key Group’ Ransomware
Related: Free Decryptors Released for BianLian, MegaCortex Ransomware