Black Basta Decryptor Exploits Flaw to Recover Files
Some random reading this morning. Ransomware recovery tools are always a welcome sight, especially these days.
Happy New Year! I hope 2024 brings health, peace, and happiness to you and yours.
A new decryptor, named ‘Black Basta Buster’, has been developed by Security Research Labs (SRLabs) to exploit a flaw in the Black Basta ransomware, enabling victims to recover their encrypted files without cost. This tool is effective for files encrypted from November 2022 until early December 2023, when the ransomware developers fixed the flaw in the encryption algorithm used by the ransomware.
Black Basta ransomware encrypts files using a 64-byte keystream created by the XChaCha20 algorithm. It had a bug where the same keystream was reused during encryption, making it possible to extract the symmetric key and decrypt the entire file. This technique was particularly effective for larger files, like virtual machine disks, which contain many zero-byte sections. Smaller files, however, may not be recoverable using this method.
For files that do not contain large zero-byte chunks, recovery is still possible if an older, unencrypted version with similar data is available. Some Digital Forensics and Incident Response (DFIR) companies had been aware of this flaw and were using it to decrypt their clients’ computers without paying a ransom.
The ‘Black Basta Buster’ consists of a collection of Python scripts designed to assist in decrypting files under various scenarios. An automatic retrieval script, ‘decryptauto.py’, is included, which attempts to automatically retrieve the key for decryption. However, this decryptor is limited to certain versions of Black Basta ransomware and cannot decrypt files from earlier versions that appended the .basta extension to encrypted files. The tool works on one file at a time, requiring a shell script or the ‘find’ command for decrypting entire folders.
Seeing recovery tools being released is always a good thing. There is lots of talk about preventing ransomware in the vendor space, but recovery is still catching up when it comes to being a focal point.
I work for a vendor, so I won’t get too deep in this because clearly I’m a bit biased, but the balance is important. You can’t stop every attack, so recovery has to be a critical element in any incident plan. It is too, don’t get me wrong. But when it comes to some of the vendor messaging I’ve seen, prevention feels like the only solution some days.
I’ve always thought it a bit ironic (in a good way) that criminals exploiting flaws and vulnerabilities in order to attack, directly resulted in defenders exploiting flaws and vulnerabilities in order to defend. Before a few years ago, this really wasn’t something that was talked about, and rarely was the option for such a response on the table.