Researchers have created a tool designed to exploit a vulnerability in the Black Basta ransomware, allowing victims to recover their files without succumbing to ransom demands.
This decryption tool potentially provides a remedy for individuals who fell victim to Black Basta ransomware attacks between November 2022 and the current month.
Regrettably, recent intel suggests that the developers of Black Basta identified a flaw in their encryption process about a week ago and swiftly rectified it. As a result, the fix has nullified the effectiveness of the decryption technique against more recent Black Basta attacks.
Let’s Understand Black Basta Buster Decryptor
Security Research Labs (SRLabs) successfully leveraged a weakness in the Black Basta ransomware to create a decryptor tool, offering affected companies the ability to retrieve their encrypted files without being compelled to make a ransom payment.
The vulnerability identified in the Black Basta ransomware pertained to the XChaCha20 encryption algorithm.
This particular algorithm encrypts files within targeted systems using an XOR method.
"Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file," SRLabs reported.
Furthermore, it says that "Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered."
What is the Process of Decrypting?
To unlock files hit by Black Basta ransomware, you need to know a bit of the original content. If your file is small (under 5000 bytes), it is probably gone. But if it is between 5000 bytes and 1GB, you can get it all back. Larger than 1GB? You lose the first bit, but the rest can be saved.
Black Basta scrambles files using a special code, and there's a hiccup. They reuse part of the code, making certain chunks turn into a key that can unlock the whole file.
Good news for big files, like those on virtual machines – even if the ransomware messes with the main stuff, there are tools to fix it.
For small files, it might be tough, but if you have an older version without the code mess, there is still hope.
Who is BB Gang?
The Black Basta ransomware gang started its cybercrime activities in April 2022, focusing on double-extortion attacks against businesses. By June of the same year, they teamed up with the QBot malware operation to infiltrate corporate networks using Cobalt Strike for remote access.
The gang, associated with the FIN7 hacking group, has targeted various organizations, including Capita, the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada. In a recent incident, they attacked the Toronto Public Library, Canada's largest public library system.