Tag Archive for: Decryptor

Babuk Ransomware Decryptor Updated to Recover Files Infected

/in


Hackers use ransomware to encrypt victims’ files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data.

This tactic leads to financial gains for the threat actors. While ransomware attacks can be conducted at scale and threat actors can target individuals, businesses, and organizations.

The Babuk ransomware decryptor has recently received an update from Avast cybersecurity researchers, Cisco Talos, and the Dutch Police to allow for the recovery of files infected with the most recent ransomware variant.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Technical Analysis

Babuk ransomware initially emerged in early 2021, and it is known for the following key things:-

  • Targeting Windows systems
  • Encrypting files
  • Demanding ransom payments in exchange for decryption keys

Besides this, Babuk ransomware has gained immense attention for its Evolving tactics and the sophistication of its attacks.

Since its founding, the Avast security company has blocked over 5600 targeted attacks, the majority of which targeted individuals and organizations in the following nations:

  • Brazil
  • Czech Republic
  • India
  • The United States
  • Germany
Babuk attacks blocked by Avast since 2021 (Source – Avast)

The recently updated Avast Babuk decryption tool can restore the files the Tortilla Babuk variant has encrypted.

Babuk ransomware source code was released in Sept 2021 in the form of a ZIP file on a Russian hacking forum, which included the following 14 victim-specific private keys:-

The cybersecurity analysts affirmed that the decryptor creation was easy as the encryption scheme remained unchanged from their analysis 2 years prior and the sample that the researchers analyzed was named “tortilla.exe.”.

The Babuk encryptor is likely made from leaked sources and uses a single key…

Source…

Free Decryptor Released for Black Basta Ransomware

/in


A vulnerability in the encryption algorithm used by the Black Basta ransomware has led researchers to develop a free decryptor tool.

Active since April 2022, the Black Basta ransomware group employs a double extortion strategy, encrypting the vital servers and sensitive data of their victims and threatening to reveal the sensitive information on their public leak site.

Since the beginning of 2022, the criminal group has received at least $107 million in Bitcoin ransom payments. Over 329 victims have been affected by the ransomware gang, according to the experts.

A free decryptor has been offered by independent security research and consulting company SRLabs to assist victims of the Black Basta ransomware in getting their files back.

How Can the Files Be Recovered?

Researchers claim that if the plaintext of 64 encrypted bytes is known, data may be recovered. The size of a file determines whether it may be recovered entirely or partially. Files with less than 5000 bytes in size cannot be restored. 

Complete recovery is achievable for files ranging in size from 5000 bytes to 1GB. The first 5000 bytes of files larger than 1GB will be lost; however, the remaining bytes can be restored.

“The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt”, the researchers said.

It is possible to know 64 bytes of plaintext in the correct location for several file types, particularly virtual machine disk images.

Researchers developed various tools to aid in analyzing encrypted files and determining whether decryption is feasible.

The decrypt auto tool may recover files containing encrypted zero bytes. Manual review may be required depending on how often and to what extent the malware has encrypted the file.

Decrypting file with the decryptauto.py tool

Researchers say a magic byte sequence that is not included in the encrypted file is left by the malware at the end. The file only has zero bytes after the tool has finished running….

Source…

Black Basta ransomwre decryptor developed, then defeated

/in


A new decryptor has been developed for Black Basta ransomware by security researchers. The program exploits a vulnerability in the encryption algorithm to decrypt files previously stolen by the cybercriminal gang. 

However, the decryptor, built by Security Research Labs (SRLabs), only allows for the recovery of data from between November 2022 and this month, as Black Basta appears to have now patched the flaw in its malware, BleepingComputer reports.

An image of a key overlaid over code, used to illustrate a story about Black Basta.
The decryptor exploits a flaw in the way large files were encrypted by Black Basta between November 2022 and January 2024. (Photo by Elena Abrazhevich / Shutterstock)

Only certain files can be recovered in that timeframe, too, said SRLabs. These include files with plaintext of 64 encrypted bytes and between 5,000 bytes and 1GB in size. “For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” wrote SRLabs researchers on the firm’s GitHub repository. The decryptor itself, dubbed “Black Basta Buster,” has now been released by the company.

It works by exploiting a weakness in Black Basta’s encryption algorithm, which creates a 64-byte keystream. When used to encrypt a file where the bytes are only zeroes, its XOR key was written to the file in question, allowing SRLabs researchers to decrypt it. Consequently, files containing large numbers of “zero-byte” sections like virtualised disk images are easier to recover, said the team. However, CISOs should be aware that an additional shell script is required to release more than one file at a time. 

Black Basta’s crime spree

Digital forensics and incident response companies have known about this quirk in Black Basta’s malware for months, BleepingComputer says, allowing clients to recover their data without having to pay ransoms. SRLabs’ ransomware decryptor is one of several such tools that were released toward the close of 2023. These included programs to recover data from Key Group ransomware, BlackCat and LockBit.

In addition to patching SRLabs’ decryptor, Black Basta had much to celebrate over the holidays….

Source…

Black Basta Ransomware Decryptor Published

/in


Security researchers have published a new suite of tools designed to help victims of the prolific Black Basta ransomware recover their files.

Berlin-based Security Research (SR) Labs revealed in a recent GitHub post that the tools exploit a weakness in the encryption algorithm.

Black Basta uses a ChaCha keystream to XOR encrypt 64-byte-long chunks of victim files.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file,” SRLabs explained.

“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Read more on Black Basta: Black Basta Deploys PlugX Malware in USB Devices With New Technique

The tools work specifically when Black Basta encrypts files containing only zeros, which is why it mainly works only for larger files.

“For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images,” SRLabs said.

“We have built some tooling which can help analyzing encrypted files and check if decryption is possible. For example, the decryptauto tool may recover files containing encrypted zero bytes. Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.”

However, the decryption tools will only work for the Black Basta ransomware variant used in around April 2023, the researchers continued.

Black Basta is one of the most successful ransomware-as-a-service operations around, having generated over $100m in revenue since April 2022. Its developers are suspected of links to the now-defunct Conti group and Qakbot malware.

Source…