Free Decryptor Tool Released for the Black Basta Ransomware

A vulnerability in the encryption algorithm used by the Black Basta ransomware has led researchers to develop a free decryptor tool.

Active since April 2022, the Black Basta ransomware group employs a double extortion strategy, encrypting the vital servers and sensitive data of their victims and threatening to reveal the sensitive information on their public leak site.

Since the beginning of 2022, the criminal group has received at least $107 million in Bitcoin ransom payments. Over 329 victims have been affected by the ransomware gang, according to the experts.

A free decryptor has been offered by independent security research and consulting company SRLabs to assist victims of the Black Basta ransomware in getting their files back.

How Can the Files Be Recovered?

Researchers claim that if the plaintext of 64 encrypted bytes is known, data may be recovered. The size of a file determines whether it may be recovered entirely or partially. Files with less than 5000 bytes in size cannot be restored. 

Complete recovery is achievable for files ranging in size from 5000 bytes to 1GB. The first 5000 bytes of files larger than 1GB will be lost; however, the remaining bytes can be restored.

“The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt”, the researchers said.

It is possible to know 64 bytes of plaintext in the correct location for several file types, particularly virtual machine disk images.

Researchers developed various tools to aid in analyzing encrypted files and determining whether decryption is feasible.

The decrypt auto tool may recover files containing encrypted zero bytes. Manual review may be required depending on how often and to what extent the malware has encrypted the file.

Researchers say a magic byte sequence that is not included in the encrypted file is left by the malware at the end. The file only has zero bytes after the tool has finished running. Thus, the file has been successfully decrypted.

Depending on the file size, the first 5000 bytes are used correctly by the keystream. Stated otherwise, those bytes—aside from the initial 64—will be lost.

Researchers say, “Virtualized disk images, however, have a high chance of being recovered because the actual partitions and their file systems tend to start later.

So the ransomware destroyed the MBR or GPT partition table, but tools such as “testdisk” can often recover or re-generate those.”