Tag Archive for: Black

Black Basta ransomwre decryptor developed, then defeated

/in


A new decryptor has been developed for Black Basta ransomware by security researchers. The program exploits a vulnerability in the encryption algorithm to decrypt files previously stolen by the cybercriminal gang. 

However, the decryptor, built by Security Research Labs (SRLabs), only allows for the recovery of data from between November 2022 and this month, as Black Basta appears to have now patched the flaw in its malware, BleepingComputer reports.

An image of a key overlaid over code, used to illustrate a story about Black Basta.
The decryptor exploits a flaw in the way large files were encrypted by Black Basta between November 2022 and January 2024. (Photo by Elena Abrazhevich / Shutterstock)

Only certain files can be recovered in that timeframe, too, said SRLabs. These include files with plaintext of 64 encrypted bytes and between 5,000 bytes and 1GB in size. “For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” wrote SRLabs researchers on the firm’s GitHub repository. The decryptor itself, dubbed “Black Basta Buster,” has now been released by the company.

It works by exploiting a weakness in Black Basta’s encryption algorithm, which creates a 64-byte keystream. When used to encrypt a file where the bytes are only zeroes, its XOR key was written to the file in question, allowing SRLabs researchers to decrypt it. Consequently, files containing large numbers of “zero-byte” sections like virtualised disk images are easier to recover, said the team. However, CISOs should be aware that an additional shell script is required to release more than one file at a time. 

Black Basta’s crime spree

Digital forensics and incident response companies have known about this quirk in Black Basta’s malware for months, BleepingComputer says, allowing clients to recover their data without having to pay ransoms. SRLabs’ ransomware decryptor is one of several such tools that were released toward the close of 2023. These included programs to recover data from Key Group ransomware, BlackCat and LockBit.

In addition to patching SRLabs’ decryptor, Black Basta had much to celebrate over the holidays….

Source…

Black Basta Ransomware Decryptor Published

/in


Security researchers have published a new suite of tools designed to help victims of the prolific Black Basta ransomware recover their files.

Berlin-based Security Research (SR) Labs revealed in a recent GitHub post that the tools exploit a weakness in the encryption algorithm.

Black Basta uses a ChaCha keystream to XOR encrypt 64-byte-long chunks of victim files.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file,” SRLabs explained.

“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Read more on Black Basta: Black Basta Deploys PlugX Malware in USB Devices With New Technique

The tools work specifically when Black Basta encrypts files containing only zeros, which is why it mainly works only for larger files.

“For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images,” SRLabs said.

“We have built some tooling which can help analyzing encrypted files and check if decryption is possible. For example, the decryptauto tool may recover files containing encrypted zero bytes. Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.”

However, the decryption tools will only work for the Black Basta ransomware variant used in around April 2023, the researchers continued.

Black Basta is one of the most successful ransomware-as-a-service operations around, having generated over $100m in revenue since April 2022. Its developers are suspected of links to the now-defunct Conti group and Qakbot malware.

Source…

Black Basta: Security Researchers Develop Decryptor for Black Basta Ransomware

/in


Representative Image

In a recent breakthrough, security researchers have created a decryptor that exploits a vulnerability in the Black Basta ransomware, enabling victims to recover their files without paying the ransom. The decryptor, named ‘Black Basta Buster,’ was developed by Security Research Labs (SRLabs) and takes advantage of a flaw in the encryption algorithm used by the Black Basta ransomware gang.

According to a report by the BleepingComputer, the vulnerability in Black Basta’s encryption routine allowed victims from November 2022 to the present month to potentially recover their files for free. However, it has been reported that the developers of Black Basta recently addressed the bug in their encryption mechanism, preventing the use of this decryption technique in newer attacks.

Understanding the Black Basta Flaw

SRLabs discovered a weakness in the encryption algorithm employed by Black Basta, which enabled the creation of the ‘Black Basta Buster’ decryptor. The flaw is associated with how the ransomware handles the ChaCha keystream used in XOR encryption.

The decryption process relies on the knowledge of the plaintext of 64 encrypted bytes. The recoverability of a file depends on its size, with files below 5000 bytes deemed irrecoverable. For files ranging from 5000 bytes to 1GB, complete recovery is possible. Files larger than 1GB will lose the first 5000 bytes, but the remainder can be recovered.

Black Basta typically XORs the content of a file using a 64-byte keystream generated using the XChaCha20 algorithm. The flaw lies in the reuse of the same keystream during encryption, resulting in all 64-byte chunks of data containing only zeros being converted to the 64-byte symmetric key. This key can then be extracted and employed to decrypt the entire file.

The decryption process is effective for larger files, such as virtual machine disks, which usually contain numerous ‘zero-byte’ sections. Even if the ransomware damages the Master Boot Record (MBR) or GUID Partition Table (GPT) partition table, tools like “testdisk” can often recover or regenerate these structures.

It’s important to note that while decrypting smaller files may not be feasible, SRLabs suggests that for files lacking large…

Source…

WGRE Reports DePauw Attacked by Black Suit Ransomware Gang

/in


Editor’s NoteThis article was submitted by WGRE News Director Taylor Fleming. The DePauw gives WGRE full credit for this news piece. 

DePauw’s Cyber incident was an attack by the Black Suit Ransomware gang. Black Suit claims to have stolen two-hundred fourteen gigabytes of data. The gang operates by stealing and encrypting data on a compromised network. This story was originally reported by The Record, a news organization run by cybersecurity firm Recorded Future. Last week, DePauw notified many students and parents that their social security numbers and other personal information may have been stolen by an unauthorized third party. This third party has turned out to be Black Suit. According to the US government’s Health Sector Cybersecurity Coordination Center, Black Suit is a relatively new ransomware group that was discovered in early May 2023. However, Black Suit is likely linked to another ransomware group called Royal. Royal was the direct successor of defunct Russian hacker group Conti. The FBI has been assisting DePauw University as they navigate this attack. DePauw has offered impacted students one year of free identity protection services. DePauw University found out about the cyber attack on October 31.

Source…