View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 2, 2024updated 14 May 2024 4:22pm

Decryptor developed for Black Basta ransomware, promptly patched by gang

Despite the criminals’ efforts, the program still allows victims to recover large files stolen between November 2022 and this month.

By Greg Noone

A new decryptor has been developed for Black Basta ransomware by security researchers. The program exploits a vulnerability in the encryption algorithm to decrypt files previously stolen by the cybercriminal gang. 

However, the decryptor, built by Security Research Labs (SRLabs), only allows for the recovery of data from between November 2022 and this month, as Black Basta appears to have now patched the flaw in its malware, BleepingComputer reports.

An image of a key overlaid over code, used to illustrate a story about Black Basta.
The decryptor exploits a flaw in the way large files were encrypted by Black Basta between November 2022 and January 2024. (Photo by Elena Abrazhevich / Shutterstock)

Only certain files can be recovered in that timeframe, too, said SRLabs. These include files with plaintext of 64 encrypted bytes and between 5,000 bytes and 1GB in size. “For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered,” wrote SRLabs researchers on the firm’s GitHub repository. The decryptor itself, dubbed “Black Basta Buster,” has now been released by the company.

It works by exploiting a weakness in Black Basta’s encryption algorithm, which creates a 64-byte keystream. When used to encrypt a file where the bytes are only zeroes, its XOR key was written to the file in question, allowing SRLabs researchers to decrypt it. Consequently, files containing large numbers of “zero-byte” sections like virtualised disk images are easier to recover, said the team. However, CISOs should be aware that an additional shell script is required to release more than one file at a time. 

Black Basta’s crime spree

Digital forensics and incident response companies have known about this quirk in Black Basta’s malware for months, BleepingComputer says, allowing clients to recover their data without having to pay ransoms. SRLabs’ ransomware decryptor is one of several such tools that were released toward the close of 2023. These included programs to recover data from Key Group ransomware, BlackCat and LockBit.

In addition to patching SRLabs’ decryptor, Black Basta had much to celebrate over the holidays. In November, it emerged that the group had made more than $100m since it was founded out of the remnants of another group, Conti. Its victims in 2023 allegedly included defence manufacturer Rheinmetall, automation giant ABB and outsourcing giant Capita. The latter cyberattack impacted more than 90 of Capita’s clients across the public and private sectors, with victims including university pension providers, local authorities and GP surgeries. 

Read more: Capita expects increased £25m costs from cyberattack

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.