December 30, 2023 at 10:25AM
Security Research Labs (SRLabs) has developed a decryptor called the “Black Basta Buster” that allows victims of the Black Basta ransomware to potentially recover their files for free, exploiting a flaw in the encryption algorithm used by the ransomware gang. However, the developers have since fixed the bug, rendering the decryptor ineffective for newer attacks.
From the provided meeting notes, it appears that Security Research Labs (SRLabs) has created a decryptor called “Black Basta Buster” that can potentially help victims of the Black Basta ransomware recover their files for free. This decryptor exploits a flaw in the Black Basta encryption algorithm, allowing the retrieval of the ChaCha keystream used for encryption. However, it is important to note that Black Basta developers have fixed the bug in their encryption routine about a week ago, rendering this decryption technique ineffective for newer attacks.
The decryptor can potentially recover files for victims from November 2022 up to the recent fix by the developers. It can recover complete files for sizes between 5000 bytes and 1GB, while files smaller than 5000 bytes cannot be recovered, and the first 5000 bytes of files larger than 1GB may be lost. Additionally, the decryptor only works on files with the file extension .4xw1woqp0.
It’s also mentioned that the decryptor may not work on earlier versions of Black Basta that appended the .basta extension to encrypted files, and it only works on one file at a time.
Black Basta is a ransomware gang that has been active since April 2022 and has been responsible for a series of high-profile attacks on various organizations, including the Toronto Public Library, among others.
Overall, the meeting notes provide a detailed overview of the Black Basta ransomware operation, the flaw in its encryption algorithm, and the potential for file recovery using the “Black Basta Buster” decryptor.