Berlin-based Security Research (SR) Labs has developed a suite of tools called Black Basta Buster to assist victims of the Black Basta ransomware in recovering their files [4] [5]. This article provides a detailed description of the tools and their effectiveness.
Description
Black Basta Buster [1] [2] [3] [4] [5] [6] [7], developed by Security Research Labs (SRLabs) [3] [7], is a suite of tools designed to help victims of the Black Basta ransomware recover their files [4] [5]. The tools exploit a weakness in the encryption algorithm used by the Black Basta gang [4] [5] [7], specifically the XChacha20 cipher [1] [3]. The developers of Black Basta made an error by reusing the same key during encryption [1], which allowed the researchers at SRLabs to analyze the encryption routine and discover a method for file recovery.
The tools are effective for files between 5000 bytes and 1GB in size [2], with full recovery possible [5]. However, files below 5000 bytes cannot be recovered [5], and for files larger than 1GB [1] [4] [5] [6], the first 5000 bytes will be lost but the remainder can be recovered [5].
The Black Basta ransomware [1] [3] [4] [5] [6], a highly successful ransomware-as-a-service operation [4] [5], emerged in April 2022 and has generated over $100 million in revenue. Its developers are suspected of having links to the now-defunct Conti group and Qakbot malware [4] [5]. They have targeted various organizations [3], including the Toronto Public Library [3], and have been linked to the FIN7 hacking group [3].
The Black Basta Buster decoder, developed by SRLabs, is a free decryptor tool that exploits a vulnerability in the encryption algorithm used by the Black Basta ransomware [1]. This vulnerability lies in the use of the XChacha20 cipher [1], where the developers of Black Basta made an error by reusing the same key during encryption [1]. This allowed SRLabs to extract the key and decrypt the entire file [1]. However, the developers have since fixed this vulnerability [1], rendering the decoder ineffective against newer attacks [1]. The decoder is comprised of Python scripts and can only decrypt one file at a time [1], which may complicate the recovery process for a large volume of encrypted data [1].
It is important to note that the effectiveness of Black Basta Buster has been confirmed, but files encrypted with the “basta” extension are not compatible with the decryption tool [1]. The speed and completeness of file recovery depend on the file size [1], with files smaller than 5000 bytes unable to be fully restored [1]. Complete recovery is possible for files ranging from 5000 bytes to 1 GB [1], but for files larger than 1 GB [1], the first 5000 bytes will be lost [1] [5]. Additionally, the decryptor tool only works for files encrypted between November 2022 and December 2023 [7], as Black Basta has fixed the encryption issue [6].
Conclusion
The development of Black Basta Buster provides a valuable resource for victims of the Black Basta ransomware, allowing them to recover their files within certain limitations. However, it is important to note that the effectiveness of the tool is limited to specific file sizes and encryption periods. As ransomware attacks continue to evolve, it is crucial for individuals and organizations to stay vigilant and implement robust cybersecurity measures to mitigate the risk of falling victim to such attacks.
References
[1] https://www.altusintel.com/public-yyc040/?tt=1704196622
[2] https://www.kiratas.com/2024/01/02/ransomware-flaw-in-black-basta-programming-enables-decryption-tool/
[3] https://lbttechgroup.com/index.php/blog/new-black-basta-decryptor-exploits-ransomware-flaw-to-recover-files
[4] https://ciso2ciso.com/black-basta-ransomware-decryptor-published-source-www-infosecurity-magazine-com/
[5] https://www.infosecurity-magazine.com/news/black-basta-ransomware-decryptor/
[6] https://securityaffairs.com/156806/malware/black-basta-ransomware-decryptor.html
[7] https://cisoseries.com/cyber-security-headlines-sweden-grocer-cyberattack-black-basta-flaw-boston-hospital-cyberattack/
