Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang.
Security research and consulting firm SRLabs released the tool -appropriately named Black Basta Buster - which exploits a vulnerability in the encryption algorithm of a Black Basta ransomware strain used by the group around April last year.
There are some limitations on whether a file is fully or partially recoverable based on plaintext requirements and size, the researchers noted.
Further, files between 5,000 bytes and 1 gigabyte can be recovered; however, for files larger than 1GB, the first 5,000 bytes of the file will be lost, though the rest can be recovered, according to the post.
Since the decryptor exploits a weakness in a specific strain of the Black Basta ransomware, organizations targeted after the group updated the strain to fix the bug - which was done in mid-December, according to a blog post published Jan. 2 by Malwarebytes - are most likely out of luck if they try to decrypt files with the tool.
Still, at least 153 victims whose data was leaked on Black Basta's Dark Web site during the period for which the decryptor works may be eligible to use the decryptor to recover files locked down the ransomware group, according to Malwarebytes.
Exploiting Encryption Weakness Black Basta first appeared on the ransomware scene as a double-extortion and fast-moving operator in April 2022, attacking at least 90 victims in its first five months using a sophisticated encryption scheme that Trend Micro noted uses unique binaries for each of its victims.
Some researchers have attributed Black Basta to FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012.
Black Basta Buster takes advantage of a flaw in an unsophisticated ChaCha keystream that's used to XOR-encrypt 64-byte-long chunks of targeted files, according to the SRLabs' GitHub description.
The ransomware encrypts the first 5,000 bytes of a file; and then the same 64 bytes are then used for XOR-encrypting the rest of the blocks to be encrypted.
Black Basta's encryption uses the keystream properly for that first 5,000 bytes of the file, depending on its size, which is why those bytes are lost in larger files, according to SRLabs; but for the chunks that come after, the encryption mechanism can be rendered in plaintext and therefore recovered.
Virtualized disk images have the best chance of being recovered, because their actual data partitions and their filesystems tend to start later, the researchers noted.
Ransomware Recovery and Defense The easiest way for organizations eligible to use the decryptor to determine if they can know the plaintext of 64 encrypted bytes required for files to be recovered is to find a sequence of zeroes in the file, according to Malwarebytes.
Of course, to avoid having to use a ransomware decryptor at all, organizations can do their best to avoid compromise.
Malwarebytes advised blocking common forms of attacker entry by quickly patching vulnerabilities as well as disabling or hardening remote access as ways to defend against ransomware actors.
Further, organizations also should use endpoint security software to prevent intrusions as well as endpoint detection and response and/or managed detection and response to detect unusual activity should attackers find a way to enter the system.
Creating offsite, offline backups also can help organizations restore files and business functions quickly in response to a ransomware attack, according to the firm.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 03 Jan 2024 16:50:27 +0000