A team from Security Research Labs (SRL) has released a set of free decryption utilities for victims of specific Black Basta ransomware attacks.
Of course, the tools are not perfect: Data recovery depends on the size of the file and requires access to the plaintext of the first 64 encrypted bytes of the target file. Even so, it’s a big win for victims.
“Whether a file is fully or partially recoverable depends on the size of the file,” researchers wrote. “Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”
The utilities include resources for analyzing encrypted files and determining whether decryption is possible. Access the Black Basta ransomware decryption tools on Github here.
Black Basta’s encryption methodology is effective, but basic.
The ransomware uses a simple additive cipher, which is implemented properly for the first 5,000 bytes of the file. As SRL explains:
“The keystream, however, is not advanced properly and the same 64 bytes are used for XORing all the blocks to be encrypted. This can be observed particularly well when looking at encrypted zero-bytes. Those encrypted zero-bytes show the very same pattern. Taking such encrypted zero-bytes and using them to XOR the encrypted chunks allows for a nearly full recovery of the file.”
The first 5,000 bytes of each file are lost — but for virtual disk images and other large files, full recovery may be possible.
Many ransomware variants do not encrypt the entire file.
For ransomware to be effective, it needs to work quickly; full encryption takes time. Many malware programs simply target the first section of a file (in Black Basta’s case, the first 5,000 bytes). The file is effectively useless, and the victim is compelled to pay.
But this creates opportunities for data recovery, particularly if the attackers implement ciphers incorrectly.
For victims, open-source decryption tools are generally the best option available for file restoration. Paying ransoms does not guarantee recovery, and in many cases, paying for ransomware is illegal.
Open-source tools are generally safe, though using them often requires a fairly advanced technical understanding of encryption. We strongly recommend making a complete clone of any target media before attempting decryption (or performing any other logical data recovery process).
Working with a professional data recovery provider can limit the chances of permanent data loss — and help you restore key systems after a ransomware attack without unnecessary downtime.
Related: Are Ransomware Decryption Tools Safe?
Getting Help with a Ransomware Infection
As a world leader in ransomware remediation, Datarecovery.com provides resources for analyzing infections, restoring key systems from backups/archival copies, and where possible, decrypting the infected files.
All of our data recovery services are supported by a no data, no charge guarantee: If we’re unable to restore your files, you don’t pay for the attempt. To learn more, call 1-800-237-4200 to speak with a ransomware expert or submit a case online.
