Security researchers have published a new suite of tools designed to help victims of the prolific Black Basta ransomware recover their files.
Berlin-based Security Research (SR) Labs revealed in a recent GitHub post that the tools exploit a weakness in the encryption algorithm.
Black Basta uses a ChaCha keystream to XOR encrypt 64-byte-long chunks of victim files.
“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file,” SRLabs explained.
“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”
Read more on Black Basta: Black Basta Deploys PlugX Malware in USB Devices With New Technique
The tools work specifically when Black Basta encrypts files containing only zeros, which is why it mainly works only for larger files.
“For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images,” SRLabs said.
“We have built some tooling which can help analyzing encrypted files and check if decryption is possible. For example, the decryptauto tool may recover files containing encrypted zero bytes. Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.”
However, the decryption tools will only work for the Black Basta ransomware variant used in around April 2023, the researchers continued.
Black Basta is one of the most successful ransomware-as-a-service operations around, having generated over $100m in revenue since April 2022. Its developers are suspected of links to the now-defunct Conti group and Qakbot malware.