2 min Security

Vulnerability in Black Basta ransomware enables decryption

Vulnerability in Black Basta ransomware enables decryption

Researchers have developed a tool to decrypt files affected by Black Basta ransomware.

SRLabs has exploited a vulnerability in the Black Basta ransomware to develop a decryptor tool. This allows companies affected by the ransomware to recover their encrypted files without paying a ransom.

The vulnerability in the Black Basta ransomware was in the XChaCha20 encryption algorithm. This algorithm encrypts files on affected systems via an XOR method.

However, the researchers discovered that the malicious algorithm encrypts a file using a stream encryption code. This code consists only of zeros, but the XOR key is written on the file. This makes it possible to retrieve the retrieval key.

Decryptor tool from SRLabs

For this process, SRLabs has developed a free decryptor tool. The tool consists of Python scripts that help recover files in different scenarios. They have also released a script called “decryptauto.py” that allows a more automated key recovery operation followed by decrypting a file.

Always 5,000 bytes of data loss

Unfortunately, the tool is unsuitable for all volumes of files encrypted with Black Basta. Files less than 5,000 bytes in size cannot be recovered. Files between 5,000 bytes and 1 GB in size can be fully decrypted.

For files larger than 1 GB, unfortunately, the first 5,000 bytes are lost during the recovery operation. However, the rest can be recovered.

Black Basta patches vulnerability

Meanwhile, Black Basta’s hackers seem aware of the vulnerability and have already implemented a patch in their ransomware. Therefore, the decryptor released by SRLabs only works for versions of Black Basta from November 2022 to a week ago (late 2023).

Even earlier versions that add the extension .basta to files cannot be decrypted with the tool.

Tip: Emergency systems offline after ransomware attack