Researchers at cybersecurity firm Security Research Labs exploited a flaw found in the algorithm of a ransomware variant used by the high-profile threat group Black Basta to develop a decryptor that can help some victims recover their encrypted files.
SRLabs last week rolled out a suite of tools on GitHub that Black Basta victims can use for free to determine if their files are recoverable and, if they are, decrypt them.
They could have limited use, with reports indicating that the prolific cybercriminals already have fix the problem in their encryption methods.
SRLabs' tools allow for Black Basta victims between November 2022 through December 2023 to possibly recover their data.
The group's fix means that the tools won't work for organizations that are targets of newer attacks.
SRLabs researchers wrote that they discovered the weakness in the encryption algorithm in a ransomware strain that Black Basta started using around April 2023.
There are limitations on which older victims will be able to use the tools.
What's important is knowing the plaintext of 64 encrypted bytes of the file, they wrote.
Knowing 64 bytes isn't enough because the known plaintext byes need to in a place in the file that can be encrypted based on the logic used by the malware to determine which parts of the file to encrypt.
The tools SRLabs made available on GitHub help organizations analyze encrypted files to determine if they can be decrypted.
Looking at how many times the files were encrypted and to what extent, a manual review is needed to fully recover a file.
The position of these encrypted blocks is based on the size of the file and - depending on the file size - the ransomware will encrypt the first 5,000 bytes.
The keystream is used correctly for the first 5,000 bytes of the file, based on its size.
This means those bytes - except for the very first 64 bytes - will be lost.
That said, virtualized disk images that have large zero-byte blocks of data have a better chance of being recovered.
For those that don't, SRLabs' tools could recover files that have an older version with similar data.
The decryptor tool came less than a month after a report by blockchain analytics company Elliptic and cyber-insurance firm Corvus said that since early 2022, Black Basta had racked up at least $107 million in ransom payments made in Bitcoin, becoming the fourth-largest ransomware strain based on the number of victims over the past two years.
At the same time, governments and many within the cybersecurity industry are trying to develop ways to stem the growing tide of ransomware attacks, with researchers with cybersecurity firm EmsiSoft calling this week for a ban on ransom payments.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jan 2024 17:13:05 +0000