Black Basta: Security Researchers Develop Decryptor for Black Basta Ransomware

/in


Representative Image

In a recent breakthrough, security researchers have created a decryptor that exploits a vulnerability in the Black Basta ransomware, enabling victims to recover their files without paying the ransom. The decryptor, named ‘Black Basta Buster,’ was developed by Security Research Labs (SRLabs) and takes advantage of a flaw in the encryption algorithm used by the Black Basta ransomware gang.

According to a report by the BleepingComputer, the vulnerability in Black Basta’s encryption routine allowed victims from November 2022 to the present month to potentially recover their files for free. However, it has been reported that the developers of Black Basta recently addressed the bug in their encryption mechanism, preventing the use of this decryption technique in newer attacks.

Understanding the Black Basta Flaw

SRLabs discovered a weakness in the encryption algorithm employed by Black Basta, which enabled the creation of the ‘Black Basta Buster’ decryptor. The flaw is associated with how the ransomware handles the ChaCha keystream used in XOR encryption.

The decryption process relies on the knowledge of the plaintext of 64 encrypted bytes. The recoverability of a file depends on its size, with files below 5000 bytes deemed irrecoverable. For files ranging from 5000 bytes to 1GB, complete recovery is possible. Files larger than 1GB will lose the first 5000 bytes, but the remainder can be recovered.

Black Basta typically XORs the content of a file using a 64-byte keystream generated using the XChaCha20 algorithm. The flaw lies in the reuse of the same keystream during encryption, resulting in all 64-byte chunks of data containing only zeros being converted to the 64-byte symmetric key. This key can then be extracted and employed to decrypt the entire file.

The decryption process is effective for larger files, such as virtual machine disks, which usually contain numerous ‘zero-byte’ sections. Even if the ransomware damages the Master Boot Record (MBR) or GUID Partition Table (GPT) partition table, tools like “testdisk” can often recover or regenerate these structures.

It’s important to note that while decrypting smaller files may not be feasible, SRLabs suggests that for files lacking large…

Source…