January 3, 2024 at 11:51AM
SRLabs released the Black Basta Buster tool to decrypt files encrypted by a specific strain of the Black Basta ransomware, with limitations on encryption logic and file size. The decryptor can recover files between 5,000 bytes and 1GB, but larger files may lose the first 5,000 bytes. It exploits a weakness in the ransomware’s encryption algorithm.
The meeting notes provide details about the release of a decryptor for the Black Basta ransomware by SRLabs, allowing for recovery of encrypted files. However, the decryptor has limitations, such as needing to know 64 bytes of plaintext in the right position for recovery, and potential loss of the first 5,000 bytes for files larger than 1GB. Also, organizations targeted after the ransomware strain was updated to fix the vulnerability are unlikely to benefit from the decryptor.
The decryptor exploits a weakness in a particular strain of the ransomware, allowing approximately 153 victims whose data was leaked on Black Basta’s Dark Web site during the relevant period to potentially recover their files.
Furthermore, the meeting notes highlight the encryption mechanism used by Black Basta, which involves encrypting the first 5,000 bytes of a file and using the same 64 bytes to encrypt the remaining blocks, with the decryptor being able to recover subsequent chunks in plaintext.
In terms of defense against ransomware, the notes suggest strategies such as patching vulnerabilities, disabling remote access, utilizing endpoint security software, and creating offsite, offline backups to restore files and business functions quickly in the event of a ransomware attack.