Security researchers at Security Research Labs (SRLabs) have developed a decryptor known as “Black Basta Buster” that exploits a flaw in the encryption algorithm of the Black Basta ransomware. This decryptor enables victims targeted between November 2022 and the present to potentially recover their files for free. The weakness lies in the ransomware’s reuse of the same keystream during encryption, causing chunks of data containing only zeros to be converted into the symmetric key. As a result, the XOR key is written to the file, allowing for the extraction and use of the encryption key to decrypt the entire file.
It’s crucial to note that this decryption technique is effective for attacks up until a week ago, as Black Basta developers promptly addressed the bug in their encryption routine, rendering the method obsolete for newer attacks. The flaw in the encryption algorithm allowed for the discovery of the ChaCha keystream used for XOR encryption, making recovery possible if the plaintext of 64 encrypted bytes is known. However, full recovery is only possible for files between 5,000 bytes and 1GB in size, while files below 5,000 bytes cannot be recovered, and larger files will lose the first 5,000 bytes but can recover the remainder.
The Black Basta ransomware has been active since November 2022, and the decryptor offers a reprieve for victims impacted during this period. It underscores the cat-and-mouse game between ransomware developers and security researchers, with developers promptly patching vulnerabilities to protect their malicious operations. This incident highlights the continuous efforts of the cybersecurity community to develop solutions that can counter the impact of ransomware attacks and provide affected individuals and organizations with recovery options.
