Midnight Ransomware: Critical Flaw Found, Files Can Be Decrypted for Free

The Norton team, part of Gen Digital, has discovered a critical vulnerability in a new ransomware strain known as Midnight. This malicious program was built upon the leaked source code of Babuk, which surfaced online in 2021. The developers of Midnight sought to enhance its encryption mechanism but inadvertently weakened it—enabling researchers to create a free decryption tool capable of restoring encrypted files.

The original intent behind Midnight’s development was to improve the speed and reliability of encryption. However, alterations in the implementation introduced flaws in the handling of RSA keys, ultimately allowing for partial data recovery—an insight that formed the foundation of Norton’s solution. The publicly available utility enables victims to recover their files without paying a ransom, thereby mitigating financial and operational damage.

Midnight inherits Babuk’s architectural framework and employs hybrid encryption, combining the ChaCha20 and RSA algorithms. Notably, it selectively encrypts file fragments based on size to accelerate processing while preserving its destructive impact. The latest variants target virtually all file types except for executables with the extensions .exe, .dll, and .msi.

On infected systems, encrypted files typically bear the extensions .Midnight or .endpoint, which may also appear within the file contents themselves. Alongside them, ransom instructions are dropped in text documents titled How To Restore Your Files.txt. In some cases, auxiliary log files—such as Report.Midnight or debug.endpoint—are also created.

Norton has released a decryptor compatible with both 32-bit and 64-bit versions of Windows. The tool automatically locates encrypted files, recommends creating backups, and then initiates the recovery process. The company advises users not to disable the backup option, as it helps prevent data loss in case of unexpected errors.

Midnight serves as yet another example of how reusing leaked source code from notorious malware can spawn not only new threats but also critical design flaws that render them vulnerable. Norton’s free decryptor represents a rare instance where victims have the opportunity to regain access to their data without financial loss.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy