The New Black Basta Decryptor
In November of 2022, scientists from SRLabs developed a decryptor that takes advantage of a vulnerability in Black Basta ransomware. This new development allowed victims to retrieve their files at no cost.
Black Basta is an illicit RaaS organization that began operations mid-2022. This Russian-based crime syndicate is infamous for their proactive nature and their double extortion attacks on large corporations. This group of hackers raked in more than $120 million in ransom payments from over 300 victims since April 2022.
You can read more about Black Basta ransomware HERE.
The Black Basta flaw was found in the gang’s encryption algorithm used by the hackers’ encryptors that identifies the ChaCha20 keystream used to XOR encrypt a file. The ChaCha20 keystream operates as a stream cipher, encrypting data seamlessly in a continuous flow, as opposed to utilizing fixed-size blocks. It produces a continuous keystream of pseudo-random bits, which is subsequently XORed with the plaintext data, yielding the ciphertext. XOR, short for “Exclusively-OR,” is a logical operator. Its negation corresponds to the logical biconditional. When applied to two inputs, XOR yields a true result only when the inputs differ (one if true, and the other is false). For example, if XOR gate was a traffic light intersection where two roads meet and two cars approach simultaneously, the traffic light prioritizes the first car to arrive. This car proceeds while the other car must wait and will be “locked out” from proceeding.
According to the report by SRLabs researchers, larger files are susceptible to decryption, primarily because they harbor a greater abundance of “zero-byte” sections in comparison to smaller files. This is noteworthy as files below the size of 5000 bytes are deemed unrecoverable. If files lack substantial zero-byte data chunks, researchers suggest that recovery might still be possible by utilizing an older, unencrypted version that shares similar data.
SRLabs’ “Black Basta Buster” can only work on one file at a time and DFIR companies have been using the decryptor for a couple months in order to avoid paying the ransom. However, within 3 months of releasing this decryptor, Black Basta fixed the flaw in their encryption process rendering the decryptor useless. While this may be distressing for new victims, those who fell prey to this ransomware gang in November of the previous year could still leverage this decryptor to reclaim their files without any cost.