Black Basta Decryptor Recovers Files Exploiting a Ransomware Flaw

Black Basta Decryptor Recovers Files Exploiting a Ransomware Flaw
Table of Contents
    Add a header to begin generating the table of contents

    A team of researchers has developed a Black Basta decryptor that takes advantage of a vulnerability in the Black Basta ransomware.

    The Black Basta Ransomware Decryptor enables victims to retrieve their files without paying any ransom. It is designed to work for Black Basta victims between November 2022 and the present month.

    However, recent information reveals that the developers of Black Basta ransomware have already addressed this flaw in their encryption process, rendering the decryptor ineffective against newer attacks.

    The Black Basta Decryptor Exploits Encryption Vulnerability

    The decryptor, named “Black Basta Buster,” is developed by Security Research Labs (SRLabs). They identified a vulnerability in the encryption algorithm utilized by the Black Basta ransomware group.

    This flaw enables the discovery of the ChaCha keystream, which is employed to XOR encrypt files.

    “Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file,”

    “Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

    Explains SRLabs’ method GitHub repository.

    During the encryption process, Black Basta ransomware employs the XChaCha20 algorithm to XOR the file content with a 64-byte keystream. However, a bug in the ransomware’s implementation was discovered.

    It turns out that when encrypting a file consisting of only zeros, the XOR key itself is written to the file. This flaw allows for the retrieval of the encryption key.

    Ransomware expert Michael Gillespie explained that Black Basta Ransomware reused the same keystream during encryption. Consequently, every 64-byte chunk of zero-filled data was transformed into the 64-byte symmetric key. This extracted key can then be used to decrypt the entire file.

    The image below illustrates this scenario, where two 64-byte chunks of zeros were XORed and now contain the keystream utilized for file encryption. While decrypting smaller files may not be possible, larger files such as virtual machine disks usually contain numerous sections filled with zero bytes, making decryption feasible.

    Virtualised disk images, however have a high chance of being recovered, because the actual partitions and their filesystems tend to start later, So the ransomware destroyed the MBR or GPT partition table, but tools such as “testdisk” can often recover or re-generate those. In cases where files do not possess significant sections of zero-byte data, SRLabs suggests that file recovery may still be feasible if you have an older unencrypted version that contains similar data. According to BleepingComputer’s intel, certain DFIR (Digital Forensics and Incident Response) companies were already aware of this vulnerability and had been utilizing it for several months. As a result, they were able to decrypt their clients’ computers without resorting to ransom payments.

    The Black Basta Ransomware Decryptor: Black Basta Buster

    The Decryptor for Black Basta Ransomware – Black Basta Buster, comprises a collection of Python scripts designed to assist in file decryption under various scenarios. One script created by the researchers is ‘decryptauto.py’, which aims to automate the retrieval of the encryption key and subsequently decrypt the file. To test the decryptor, BleepingComputer conducted an experiment by encrypting files on a virtual machine using a Black Basta encryptor from April 2023. When they used the decryptauto.py script, it successfully retrieved the keystream and decrypted the file, as demonstrated below.

    However, it is important to note that this decryptor is only effective for Black Basta versions released since November 2022 up until approximately a week ago.

    Additionally, earlier versions that appended the .basta extension to encrypted files instead of a random file extension cannot be decrypted using this tool.

    It is worth mentioning that the decryptor operates on one file at a time. If you need to decrypt entire folders, you will need to employ a shell script or the ‘find’ command, as depicted below. Please ensure to modify the extension and file paths according to your specific requirements.

    find . -name "*.4xw1woqp0" -exec ../black-basta-buster/decryptauto.py "{}" ;

    Indeed, recent victims of the Black Basta ransomware will no longer have the option to retrieve their files without making a payment. However, older victims who have been patiently waiting for a decryptor may have a stroke of luck on their side.

    Who is the Black Basta Ransomware Group?

    The Black Basta ransomware group emerged in April 2022 as the latest cybercrime gang engaged in double-extortion attacks against corporate victims.

    By June 2022, Black Basta Ransomware group established a partnership with the QBot malware operation (QakBot), utilizing Cobalt Strike for remote access to corporate networks.

    Through these beacons, Black Basta expanded its reach across the network, exfiltrating data, and ultimately deploying encryptors.In line with other ransomware operations targeting enterprises,

    Black Basta developed a Linux encryptor specifically designed to target VMware ESXi virtual machines running on Linux servers.

    Researchers have also uncovered connections between the Black Basta ransomware gang and the financially motivated cybercrime group known as FIN7 or Carbanak.Since its inception, the threat actors behind Black Basta have been responsible for a series of attacks, including targeting organizations such as Capita, American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.

    Related Posts