Free Decryptor Released for Black Basta Ransomware

The hacking research collective and consulting think tank, SRLabs, has unveiled a decryptor designed to assist victims of the Black Basta ransomware in recovering their files without charge.

Black Basta, which has been operational since at least April 2022, stands out as one of the most prolific ransomware families, having executed over 300 successful attacks and reportedly amassed over $100 million in ransom payments.

Suspected to be affiliated with the notorious Conti group, Black Basta has admitted to orchestrating numerous high-profile breaches involving entities such as ABB, Capita, Maple Leaf Foods, Rheinmetall, and Thales. The group has been known to compromise victims’ data and issue threats to make the information public unless a ransom is paid.

Recently, SRLabs disclosed a flaw in the encryption algorithm employed by the Black Basta ransomware. Specifically, the ChaCha keystream, utilized to XOR 64-byte segments of the targeted file, was found to lack proper advancement, causing the same 64 bytes to be employed for XORing all blocks slated for encryption.

Capitalizing on this identified pattern, the company managed to retrieve the essential 64-byte key required for decryption, resulting in the creation of a complimentary decrypting tool. This tool aims to aid victims in restoring a portion of their files.

Nevertheless, it’s important to note that due to the proper execution of the encryption process for the initial 5,000 bytes of a file, recovery of those bytes is unattainable.

SRLabs elucidates, “Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

To facilitate the analysis of encrypted files and ascertain the feasibility of decryption, SRLabs has devised tools that hinge on knowledge of “the plaintext of 64 encrypted bytes of the file.”

In cases where files underwent multiple encryption processes, a manual review may be essential for restoration. Notably, for specific file types, such as virtual machine disk images, successful decryption is deemed more likely when “knowing 64 bytes of the plaintext in the right position” is achievable.

SRLabs notes, “Virtual disk images, however, have a high chance of being recovered because the actual partitions and their file systems tend to start later. So the ransomware destroyed the MBR or GPT partition table, but tools such as ‘testdisk’ can often recover or re-generate those.”

Reportedly, the free decryptor is applicable only to files encrypted before Christmas 2023, as it appears that Black Basta developers have addressed the vulnerability in their algorithm since then.