Flaw in Black Basta Ransomware Exploited to Create Decryptor

Researchers at cybersecurity firm Security Research Labs exploited a flaw found in the algorithm of a ransomware variant used by the high-profile threat group Black Basta to develop a decryptor that can help some victims recover their encrypted files.
SRLabs last week rolled out a suite of tools on GitHub that Black Basta victims can use for free to determine if their files are recoverable and, if they are, decrypt them.
They could have limited use, with reports indicating that the prolific cybercriminals already have fix the problem in their encryption methods.
SRLabs' tools allow for Black Basta victims between November 2022 through December 2023 to possibly recover their data.
The group's fix means that the tools won't work for organizations that are targets of newer attacks.
SRLabs researchers wrote that they discovered the weakness in the encryption algorithm in a ransomware strain that Black Basta started using around April 2023.
There are limitations on which older victims will be able to use the tools.
What's important is knowing the plaintext of 64 encrypted bytes of the file, they wrote.
Knowing 64 bytes isn't enough because the known plaintext byes need to in a place in the file that can be encrypted based on the logic used by the malware to determine which parts of the file to encrypt.
The tools SRLabs made available on GitHub help organizations analyze encrypted files to determine if they can be decrypted.
Looking at how many times the files were encrypted and to what extent, a manual review is needed to fully recover a file.
The position of these encrypted blocks is based on the size of the file and - depending on the file size - the ransomware will encrypt the first 5,000 bytes.
The keystream is used correctly for the first 5,000 bytes of the file, based on its size.
This means those bytes - except for the very first 64 bytes - will be lost.
That said, virtualized disk images that have large zero-byte blocks of data have a better chance of being recovered.
For those that don't, SRLabs' tools could recover files that have an older version with similar data.
The decryptor tool came less than a month after a report by blockchain analytics company Elliptic and cyber-insurance firm Corvus said that since early 2022, Black Basta had racked up at least $107 million in ransom payments made in Bitcoin, becoming the fourth-largest ransomware strain based on the number of victims over the past two years.
At the same time, governments and many within the cybersecurity industry are trying to develop ways to stem the growing tide of ransomware attacks, with researchers with cybersecurity firm EmsiSoft calling this week for a ban on ransom payments.


This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jan 2024 17:13:05 +0000


Cyber News related to Flaw in Black Basta Ransomware Exploited to Create Decryptor

Black Basta Buster Utilizes Ransomware Flaw to Recover Files - Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster. This tool, released in response to the ...
10 months ago Heimdalsecurity.com
New Black Basta decryptor exploits ransomware flaw to recover files - Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for ...
10 months ago Bleepingcomputer.com
More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
11 months ago Therecord.media
New decryptor for Babuk Tortilla ransomware variant released - Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. Cisco Talos shared the key with our peers at ...
9 months ago Blog.talosintelligence.com
'Black Basta Buster' Exploits Ransomware Bug for File Recovery - Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang. Security research and consulting ...
10 months ago Darkreading.com
Black Basta ransomware made over $100 million from extortion - Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic. Over 329 victims ...
11 months ago Bleepingcomputer.com
Black Basta's ransom haul tops $100M in less than 2 years - The Black Basta ransomware gang has raked in more than $100 million from victims of its double-extortion attacks since its emergence early last year, according to researchers. The haul - which included grabbing $9 million from one victim and more ...
11 months ago Packetstormsecurity.com
Learn How to Decrypt Black Basta Ransomware Attack Without Paying Ransom - Researchers have created a tool designed to exploit a vulnerability in the Black Basta ransomware, allowing victims to recover their files without succumbing to ransom demands. This decryption tool potentially provides a remedy for individuals who ...
10 months ago Cysecurity.news
The Week in Ransomware - With it being the first week of the New Year and some still away on vacation, it has been slow with ransomware news, attacks, and new information. Last weekend, BleepingComputer tested a new decryptor for the Black Basta ransomware to show how it ...
10 months ago Bleepingcomputer.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
5 months ago Bleepingcomputer.com
New Ransomware Threat Hits Hundreds of Organisations Worldwide - Until November 2023, this group with suspected ties to Russia has accumulated ransom payments totaling a minimum of $100 million from over 90 victims. In a recent joint report by the Cybersecurity and Infrastructure Security Agency and the Federal ...
5 months ago Cysecurity.news
Toronto Public Library outages caused by Black Basta ransomware attack - The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack. The Toronto Public Library is Canada's largest public library system, giving access to 12 million books through 100 branch libraries across ...
11 months ago Bleepingcomputer.com
Black Basta Ransomware Group Makes $100m Since 2022 - A prolific Russian-speaking ransomware group has made over $100m from dozens of victims since April 2022, new analysis has revealed. Corvus Insurance used the Elliptic Investigator blockchain forensics tool to lift the lid on the Black Basta group. ...
11 months ago Infosecurity-magazine.com
Flaw in Black Basta Ransomware Exploited to Create Decryptor - Researchers at cybersecurity firm Security Research Labs exploited a flaw found in the algorithm of a ransomware variant used by the high-profile threat group Black Basta to develop a decryptor that can help some victims recover their encrypted ...
10 months ago Securityboulevard.com
Babuk ransomware decryptor updated with Tortilla support The Register - Security researchers have put out an updated decryptor for the Babuk ransomware family, providing a free solution for victims of the Tortilla variant. A collaboration between Cisco Talos, Avast, and the Netherlands police led to the development of ...
9 months ago Go.theregister.com
New Decryption Key Available for Babuk Tortilla Ransomware Victims - A new decryptor key has been created for victims of the Babuk Tortilla ransomware variant, Cisco Talos has confirmed. These keys will be added to a generic Babuk decryptor previously created by Avast Threat Labs. This will enable users to download ...
9 months ago Infosecurity-magazine.com
SRLabs develops Black Basta ransomware decryptor - Researchers released a decryptor to help the numerous victims of one of 2023's most prolific double-extortion ransomware gangs, Black Basta, restore their compromised files for free. Black Basta is believed to have attacked well over 300 ...
10 months ago Packetstormsecurity.com
Hyundai Motor Europe hit by Black Basta ransomware attack - Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data. BleepingComputer first learned of the attack in early January, but when we contacted Hyundai, ...
8 months ago Bleepingcomputer.com
Windows Quick Assist abused in Black Basta ransomware attacks - Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks. Microsoft has been investigating this campaign since at least mid-April 2024, ...
5 months ago Bleepingcomputer.com
Free Decryptor Released for Black Basta Ransomware - Hacking research collective and consulting think tank SRLabs has released a decryptor to help Black Basta ransomware victims restore their files for free. Active since at least April 2022, Black Basta has become one of the most prolific ransomware ...
10 months ago Securityweek.com
CISA: Black Basta ransomware breached over 500 orgs worldwide - CISA and the FBI said today that Black Basta ransomware affiliates breached over 500 organizations between April 2022 and May 2024. In a joint report published in collaboration with the Department of Health and Human Services and the Multi-State ...
5 months ago Bleepingcomputer.com
Online ransomware decryptor helps recover partially encrypted files - CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption. The company announced today that although the tool was already freely available through GitHub as a ...
9 months ago Bleepingcomputer.com
Microsoft Quick Assist Tool Abused for Ransomware Delivery - Cybercriminals who have been using the Black Basta ransomware have been observed abusing the remote management tool Quick Assist in vishing attacks, Microsoft reports. Active since 2022 and believed to have hit over 500 organizations globally, Black ...
5 months ago Packetstormsecurity.com
Black Basta Ransomware Decryptor Published - Security researchers have published a new suite of tools designed to help victims of the prolific Black Basta ransomware recover their files. Berlin-based Security Research Labs revealed in a recent GitHub post that the tools exploit a weakness in ...
10 months ago Infosecurity-magazine.com
Decryptor for Babuk ransomware variant released after hacker arrested - Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator. Tortilla is a Babuk ransomware variant ...
9 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)