Researchers at Security Research (SR) Labs have recently announced that they identified a weakness in the encryption algorithm used by Black Basta ransomware which can allow certain victims to recover their files for free. The researchers have released a suite of Black Basta Buster decryptor tools, that can be used for free.
Black Basta ransomware uses intermittent encryption, which makes the encryption process more efficient and faster. Black Basta uses a ChaCha keystream to XOR encrypt 64-byte-long chunks of victim files and, according to the researchers, if the plaintext of 64 encrypted bytes is known, it should be possible to recover files. It is not sufficient to know 64 bytes since the bytes must be in a location that the algorithm has encrypted. The position of the encrypted blocks of a file is determined by the file size. Generally, the ransomware will encrypt the first 5,000 bytes of a file, so files of 5,000 bytes or less will not be recoverable. Files between 5,000 and 1GB in size should be fully recoverable, and for files of more than 1GB, the entire file will be recoverable apart from the first 5,000 bytes.
When a file is encrypted, Black Basta XORs the content using a 64-byte keystream created by its encryption algorithm but when using a stream cipher to encrypt a file whose bytes contain only zeros, the XOR key is written to the file which allows the encryption key to be recovered. The bug comes from reusing the same keystream during encryption, which means that all 64-byte chunks of data containing only zeros will be converted to the 64-byte symmetric key, which can be extracted and used to decrypt the entire file. The tools released by the researchers are most effective at recovering files containing encrypted zero bytes, which is why the tool is most effective at recovering larger files.
The developers of Black Basta have responded and recently fixed the bug, so the decryption tools will not be able to decrypt files in more recent attacks, but they can be used to recover files that have been encrypted using the Black Basta encryptor from November 2022 to late December 2023.