Tuesday, October 8, 2024
HomeCyber Security NewsFree Decryptor Tool Released for the Black Basta Ransomware

Free Decryptor Tool Released for the Black Basta Ransomware

Published on

A vulnerability in the encryption algorithm used by the Black Basta ransomware has led researchers to develop a free decryptor tool.

Active since April 2022, the Black Basta ransomware group employs a double extortion strategy, encrypting the vital servers and sensitive data of their victims and threatening to reveal the sensitive information on their public leak site.

Since the beginning of 2022, the criminal group has received at least $107 million in Bitcoin ransom payments. Over 329 victims have been affected by the ransomware gang, according to the experts.

- Advertisement - EHA

A free decryptor has been offered by independent security research and consulting company SRLabs to assist victims of the Black Basta ransomware in getting their files back.

How Can the Files Be Recovered?

Researchers claim that if the plaintext of 64 encrypted bytes is known, data may be recovered. The size of a file determines whether it may be recovered entirely or partially. Files with less than 5000 bytes in size cannot be restored. 

Complete recovery is achievable for files ranging in size from 5000 bytes to 1GB. The first 5000 bytes of files larger than 1GB will be lost; however, the remaining bytes can be restored.

“The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt”, the researchers said.

It is possible to know 64 bytes of plaintext in the correct location for several file types, particularly virtual machine disk images.

Researchers developed various tools to aid in analyzing encrypted files and determining whether decryption is feasible.

The decrypt auto tool may recover files containing encrypted zero bytes. Manual review may be required depending on how often and to what extent the malware has encrypted the file.

Decrypting file with the decryptauto.py tool
Decrypting file with the decryptauto.py tool

Researchers say a magic byte sequence that is not included in the encrypted file is left by the malware at the end. The file only has zero bytes after the tool has finished running. Thus, the file has been successfully decrypted.

The file successfully decrypted
The file successfully decrypted

Depending on the file size, the first 5000 bytes are used correctly by the keystream. Stated otherwise, those bytes—aside from the initial 64—will be lost.

Researchers say, “Virtualized disk images, however, have a high chance of being recovered because the actual partitions and their file systems tend to start later.

So the ransomware destroyed the MBR or GPT partition table, but tools such as “testdisk” can often recover or re-generate those.”

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...