'Black Basta Buster' Exploits Ransomware Bug for File Recovery

A tool now allows for victim files encrypted by the Black Basta cybercriminal gang to be fully or partially recoverable, depending on their size.

Hands typing at a keyboard on which the word "ransomware" is spelled and lit up in red
Source: Shutterstock

Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang.

Security research and consulting firm SRLabs released the tool —appropriately named Black Basta Buster — which exploits a vulnerability in the encryption algorithm of a Black Basta ransomware strain used by the group around April last year. However, there are some limitations on whether a file is fully or partially recoverable based on plaintext requirements and size, the researchers noted.

For one, files can be recovered one at a time "if the plaintext of 64 encrypted bytes is known," according to the description of the Black Basta decryptor on SRLabs' GitHub page.

"In other words, knowing 64 bytes is not sufficient in itself, since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware's logic of determining which parts of the file to encrypt," according to the post. "For certain file types, knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images."

Further, files between 5,000 bytes and 1 gigabyte can be recovered; however, for files larger than 1GB, the first 5,000 bytes of the file will be lost, though the rest can be recovered, according to the post.

Moreover, since the decryptor exploits a weakness in a specific strain of the Black Basta ransomware, organizations targeted after the group updated the strain to fix the bug — which was done in mid-December, according to a blog post published Jan. 2 by Malwarebytes — are most likely out of luck if they try to decrypt files with the tool.

Still, at least 153 victims whose data was leaked on Black Basta's Dark Web site during the period for which the decryptor works may be eligible to use the decryptor to recover files locked down the ransomware group, according to Malwarebytes.

Exploiting Encryption Weakness

Black Basta first appeared on the ransomware scene as a double-extortion and fast-moving operator in April 2022, attacking at least 90 victims in its first five months using a sophisticated encryption scheme that Trend Micro noted uses unique binaries for each of its victims. Some researchers have attributed Black Basta to FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012.

Black Basta Buster takes advantage of a flaw in an unsophisticated ChaCha keystream that's used to XOR-encrypt 64-byte-long chunks of targeted files, according to the SRLabs' GitHub description.

The ransomware encrypts the first 5,000 bytes of a file; and then the same 64 bytes are then used for XOR-encrypting the rest of the blocks to be encrypted.

Black Basta's encryption uses the keystream properly for that first 5,000 bytes of the file, depending on its size, which is why those bytes are lost in larger files, according to SRLabs; but for the chunks that come after, the encryption mechanism can be rendered in plaintext and therefore recovered.

Virtualized disk images have the best chance of being recovered, because their actual data partitions and their filesystems tend to start later, the researchers noted.

Ransomware Recovery and Defense

The easiest way for organizations eligible to use the decryptor to determine if they can know the plaintext of 64 encrypted bytes required for files to be recovered is to find a sequence of zeroes in the file, according to Malwarebytes.

"It may be possible to decrypt large files that don’t contain large enough chunks of zero-bytes [strings with no data], but you will need an unencrypted version of the target file," according to the post. "In many cases this will defeat the purpose of decryption, but there may be edge cases where you have a previous version of the target file that meets the requirements, but does not hold the information you want to decrypt."

Of course, to avoid having to use a ransomware decryptor at all, organizations can do their best to avoid compromise. Malwarebytes advised blocking common forms of attacker entry by quickly patching vulnerabilities as well as disabling or hardening remote access as ways to defend against ransomware actors.

Further, organizations also should use endpoint security software to prevent intrusions as well as endpoint detection and response (EDR) and/or managed detection and response (MDR) to detect unusual activity should attackers find a way to enter the system. Creating offsite, offline backups also can help organizations restore files and business functions quickly in response to a ransomware attack, according to the firm.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights