Despite all its shortcomings, the tool allows you to restore the most valuable files without paying a ransom.
Security Research Labs (SRLabs) specialists have created a decryptor that exploits a vulnerability in the encryption algorithm of the Black Basta ransomware program and allows victims to recover their files for free.
A special feature of the Black Basta Buster decryptor is its ability to recover files encrypted from November 2022 to the present. However, the developers of Black Basta have already fixed this vulnerability about a week ago, which makes it impossible to use this decryption technique in newer attacks.
The vulnerability is based on the use of the standard XChaCha20 cipher to encrypt files. The error of the Black Basta developers was to reuse the same key stream during encryption, as a result of which all 64-byte data fragments containing only zeros were converted to a 64-byte symmetric key, which allowed specialists to extract the key and use it to decrypt the entire file.
The Black Basta Buster decryptor consists of a set of Python scripts that help in decrypting files in various scenarios. However, it is important to note that the decryptor only works with files encrypted with Black Basta versions from November 2022 until recently. In addition, versions of the program that added the extension "basta" to encrypted files cannot be decrypted using the tool.
The effectiveness of Black Basta Buster is officially confirmed, but despite its success in recovering some files, the decryptor only works with one file at a time, which makes the recovery process difficult for a large amount of data.
Files can be recovered if the plaintext of 64 encrypted bytes is known. The ability to fully or partially restore a file depends on its size. Files smaller than 5,000 bytes cannot be recovered. Full recovery is possible for files from 5,000 bytes to 1 GB in size. For files larger than 1 GB, the first 5,000 bytes will be lost, but the rest can be recovered.
While it may not be possible to decrypt smaller files, larger files, such as VM disks, can usually be decrypted because they contain a large number of "zero" partitions.
The discovery becomes particularly important for ransomware victims who previously had no way to recover their data without paying a ransom. Now they have a chance to recover valuable files without financial losses.
Security Research Labs (SRLabs) specialists have created a decryptor that exploits a vulnerability in the encryption algorithm of the Black Basta ransomware program and allows victims to recover their files for free.
A special feature of the Black Basta Buster decryptor is its ability to recover files encrypted from November 2022 to the present. However, the developers of Black Basta have already fixed this vulnerability about a week ago, which makes it impossible to use this decryption technique in newer attacks.
The vulnerability is based on the use of the standard XChaCha20 cipher to encrypt files. The error of the Black Basta developers was to reuse the same key stream during encryption, as a result of which all 64-byte data fragments containing only zeros were converted to a 64-byte symmetric key, which allowed specialists to extract the key and use it to decrypt the entire file.
The Black Basta Buster decryptor consists of a set of Python scripts that help in decrypting files in various scenarios. However, it is important to note that the decryptor only works with files encrypted with Black Basta versions from November 2022 until recently. In addition, versions of the program that added the extension "basta" to encrypted files cannot be decrypted using the tool.
The effectiveness of Black Basta Buster is officially confirmed, but despite its success in recovering some files, the decryptor only works with one file at a time, which makes the recovery process difficult for a large amount of data.
Files can be recovered if the plaintext of 64 encrypted bytes is known. The ability to fully or partially restore a file depends on its size. Files smaller than 5,000 bytes cannot be recovered. Full recovery is possible for files from 5,000 bytes to 1 GB in size. For files larger than 1 GB, the first 5,000 bytes will be lost, but the rest can be recovered.
While it may not be possible to decrypt smaller files, larger files, such as VM disks, can usually be decrypted because they contain a large number of "zero" partitions.
The discovery becomes particularly important for ransomware victims who previously had no way to recover their data without paying a ransom. Now they have a chance to recover valuable files without financial losses.
