Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster.
This tool, released in response to the activities of a prolific cybercriminal gang, can decrypt files affected by the malware.
The decryptor's effectiveness varies; it may only partially recover some files encrypted by the gang, with limitations on the extent of recovery depending on the plaintext requirements and the size of the files, as noted by the researchers.
The Black Basta decryptor, as described on SRLabs' GitHub page, allows for the recovery of individual files if the plaintext of 64 encrypted bytes is known.
Merely knowing 64 bytes is not enough; these known plaintext bytes must be in a part of the file that the malware targets for encryption.
This recovery is more feasible for specific file types, such as virtual machine disk images, where knowing 64 bytes of plaintext in the correct position is possible.
The decryptor can restore files ranging in size from 5,000 bytes to 1 gigabyte.
For files larger than 1GB, the first 5,000 bytes will be irretrievable, but the rest of the file can be recovered.
It's important to note that this decryptor targets a specific vulnerability in a variant of the Black Basta ransomware.
These victims had their data leaked on Black Basta's Dark Web site when the decryptor was effective, making them potential candidates for file recovery using this tool.
In April 2022, the ransomware group Black Basta emerged as a dynamic and double-extortion operator.
Researchers link Black Basta to FIN7, a cybercrime group believed to have stolen over $1.2 billion since 2012.
The Black Basta Buster tool exploits a weakness in the basic ChaCha keystream used by Black Basta.
Here's how Black Basta's ransomware works: It encrypts the first 5,000 bytes of a file.
Here's a webinar snippet where our Cyber-Security and Heimdal® Product Expert & Head of Pre-Sales showcase how Black Basta ransomware encrypts devices and does a quick analysis on it.
The initial 5,000 bytes are securely encrypted by Black Basta, leading to their loss in larger files.
The researchers point out that their data partitions and filesystems usually begin further into the file.
For organizations using the decryptor, locating a zero sequence in the file is the simplest method to determine recoverability.
Decrypting large files without substantial zero-byte segments is feasible but requires an unencrypted version of the file.
In rare situations, a previous file version might meet decryption requirements without containing the desired information.
This Cyber News was published on heimdalsecurity.com. Publication date: Thu, 04 Jan 2024 15:13:04 +0000