Hackers also make mistakes: According to a report on GitHub, the experts at SRLabs have discovered a vulnerability in the Black Basta ransomware. You were then able to build a decryption tool, which can probably save the data in many cases.
The APT group Black Basta has caused a lot of damage with its ransomware. Many of the companies affected did not take part in the blackmail, but they often lost some data. Now there is hope again for the recovery of some data: the Experts from SRLabs discovered a vulnerability in Black Basta ransomware and built a tool suite to help decrypt data encrypted by the Black Basta group. The suite is available for free on GitHub.
Decrypt Black-Basta data
The ransomware with the flaw under investigation was used by Black Basta around April 2023. The analysis by the experts produced the following results:
- The analysis shows that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file can be fully or partially restored depends on the size of the file. Files smaller than 5000 bytes cannot be restored. Full recovery is possible for files between 5000 bytes and 1 GB in size. For files larger than 1GB, the first 5000 bytes are lost, but the rest can be recovered.
- Recovery depends on knowing the plaintext of 64 encrypted bytes of the file. However, these are not arbitrary. The known plaintext bytes must be located in a location in the file that the malware's logic expects to be there. For certain file types, it is possible to know 64 bytes of plain text in the correct location, particularly virtual machine disk images.
SRLabs has developed some tools that can help analyze encrypted files and check whether decryption is possible. For example, the tool can decryptauto Recover files containing encrypted null bytes. Depending on how often and to what extent the malware has encrypted the file, a manual check is required to fully restore a file. SRLabs provides all data and tools on GitHib. There you will also find further background information on decryption which is definitely only recommended for professionals.
More decryption tools at NoMoreRansom
Anyone looking for additional decryption tools will Find what you're looking for on the NoMoreRansom website. The “No More Ransom” website is an initiative of the Dutch Police National High Tech Crime Unit, Europol’s European Cybercrime Center, Kaspersky and McAfee. The aim is to help ransomware victims decrypt without paying the ransom to the cybercriminals.
More on GitHub from SRLabs.de