Black Basta’s Flaw: Decryptor Unlocks Ransomware Files for Free
Specialists at Security Research Labs (SRLabs) have developed a decryptor, the Black Basta Buster, which exploits a vulnerability in the encryption algorithm of the Black Basta ransomware program, enabling victims to recover their files free of charge.
The Black Basta Buster decryptor is distinguished by its ability to restore files encrypted from November 2022 to the present. However, the Black Basta developers rectified this vulnerability about a week ago, rendering this decryption technique ineffective for newer attacks.
The vulnerability’s essence lies in the use of the standard XChaCha20 cipher for file encryption. The Black Basta developers’ blunder was in reusing the same key stream during encryption, consequently transforming all 64-byte data fragments containing only zeros into a 64-byte symmetric key. This allowed experts to extract the key and use it to decrypt the entire file.
The Black Basta Buster decryptor comprises a suite of Python scripts designed to aid in file decryption under various scenarios. Nevertheless, it is crucial to note that the decryptor only works with files encrypted by Black Basta versions from November 2022 until recently. Moreover, program versions that added the “.basta” extension to encrypted files are not susceptible to decryption with this tool.
The effectiveness of the Black Basta Buster has been officially confirmed. Despite success in recovering some files, the decryptor operates on one file at a time, complicating the restoration process for large volumes of data.
File recovery is feasible if the plaintext of 64 encrypted bytes is known. The possibility of full or partial file recovery depends on the file size. Files smaller than 5,000 bytes cannot be restored. Complete recovery is possible for files ranging from 5,000 bytes to 1 GB. For files larger than 1 GB, the first 5,000 bytes will be lost, but the remainder can be recovered.
Although decrypting smaller files may be impossible, larger files, such as virtual machine disks, can typically be decrypted since they contain a significant amount of “zero” sections.
This discovery becomes especially significant for victims of ransomware who previously had no means of recovering their data without paying a ransom. They now have an opportunity to retrieve valuable files without financial loss.
