A new decryptor has been developed for Black Basta ransomware by security researchers. The program exploits a vulnerability in the encryption algorithm to decrypt files previously stolen by the cybercriminal gang.
However, the decryptor, built by Security Research Labs (SRLabs), only allows for the recovery of data from between November 2022 and this month, as Black Basta appears to have now patched the flaw in its malware, BleepingComputer reports.
Only certain files can be recovered in that timeframe, too, said SRLabs. These include files with plaintext of 64 encrypted bytes and between 5,000 bytes and 1GB in size. “For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” wrote SRLabs researchers on the firm’s GitHub repository. The decryptor itself, dubbed “Black Basta Buster,” has now been released by the company.
It works by exploiting a weakness in Black Basta’s encryption algorithm, which creates a 64-byte keystream. When used to encrypt a file where the bytes are only zeroes, its XOR key was written to the file in question, allowing SRLabs researchers to decrypt it. Consequently, files containing large numbers of “zero-byte” sections like virtualised disk images are easier to recover, said the team. However, CISOs should be aware that an additional shell script is required to release more than one file at a time.
Black Basta’s crime spree
Digital forensics and incident response companies have known about this quirk in Black Basta’s malware for months, BleepingComputer says, allowing clients to recover their data without having to pay ransoms. SRLabs’ ransomware decryptor is one of several such tools that were released toward the close of 2023. These included programs to recover data from Key Group ransomware, BlackCat and LockBit.
In addition to patching SRLabs’ decryptor, Black Basta had much to celebrate over the holidays. In November, it emerged that the group had made more than $100m since it was founded out of the remnants of another group, Conti. Its victims in 2023 allegedly included defence manufacturer Rheinmetall, automation giant ABB and outsourcing giant Capita. The latter cyberattack impacted more than 90 of Capita’s clients across the public and private sectors, with victims including university pension providers, local authorities and GP surgeries.