Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free.
The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for free.
The 'Black Basta Buster' decryptor comes from Security Research Labs, which found a weakness in the encryption algorithm used by the ransomware gang's encryptors that allows for the discovery of the ChaCha keystream used to XOR encrypt a file.
When Black Basta encrypts a file, it XORs the content using a 64-byte keystream created using the XChaCha20 algorithm.
When using a stream cipher to encrypt a file whose bytes contain only zeros, the XOR key itself is written to the file, allowing retrieval of the encryption key.
Ransomware expert Michael Gillespie told BleepingComputer that Black Basta had a bug where they were reusing the same keystream during encryption, thus causing all 64-byte chunks of data containing only zeros to be converted to the 64-byte symmetric key.
This key can then be extracted and used to decrypt the entire file.
This is illustrated by the image below, where two 64-byte chunks of 'zeros' were XORed and now contain the keystream used to encrypt the file.
While decrypting smaller files may not be possible, larger files like virtual machine disks can usually be decrypted, as they contain a large number of 'zero-byte' sections.
For files that do not contain large zero-byte chunks of data, SRLabs says it may still be possible to recover files if you have an older unencrypted version with similar data.
The researchers at SRLabs have released a decryptor called Black Basta Buster that consists of a collection of python scripts that assist you in decrypting files under different scenarios.
Py' that attempts to perform automatic retrieval of the key and then use it to decrypt the file.
BleepingComputer encrypted the files on a virtual machine with a Black Basta encryptor from April 2023 to test the decryptor.
Py script, it automatically retrieved the keystream and decrypted our file, as can be seen below.
Basta extension to encrypted files rather than a random file extension cannot be decrypted using this tool.
The decryptor only works on one file at a time, so if you wish to decrypt entire folders, you need to use a shell script or the 'find' command, as shown below.
Just make sure to replace the extension and file paths as necessary.
While new Black Basta victims will no longer be able to recover their files for free, older victims may be more lucky if they were holding out for a decryptor.
The Black Basta ransomware gang launched its operation in April 2022 and became the newest cybercrime gang conducting double-extortion attacks on corporate victims.
Black Basta ransomware made over $100 million from extortion.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 30 Dec 2023 15:25:12 +0000