The 27th December 2023 saw the publication of a decryptor for the Black Basta ransomware encryption algorithm by Security Research Labs.

What does it do?

In their release, Security Research Labs state, “Files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

What does that mean?

A lot of ransomware victims believe that, once encrypted, they have lost all of their data. In reality, this isn’t quite true. To speed up the encryption process, many ransomware groups only encrypt a portion of a file – in Black Basta’s case, it’s the first 5000 bytes. This means that the files are unreadable by the applications usually used to open them, but data beyond the encrypted portion may still be recovered forensically though with some data loss.

The flaw in the implementation of the encryption mechanism used by Black Basta means that some files can be recovered with varying degrees of success.  Files of approximately 5KB in size cannot be recovered as they are entirely encrypted.  Other files (between 5000 bytes and 1GB) may be entirely recoverable based on their size and composition.  This is great for organisations as most documents will fall within this range.  Files larger than 1GB is where this really becomes interesting, because with a little bit of extra work and some further tooling it may be possible to recreate the first portion of the files.  So why is this interesting?  It’s interesting because virtual machines fall into this category, and if you can recover these then then organisations can recover their systems not just their files.

Why is this important?

Black Basta were first detected in April of 2022 and report in the region of 50 victims per quarter.  In that time, the group has made in excess of over $100 million in crypto currency through their ransomware activities.

This development is not a panacea though.  The decryption tools provided by Security Research Labs will only work for the Black Basta ransomware variant used around April 2023.  It’s likely that, since the publication of the research and tooling that Black Basta, along with other ransomware groups, will review their encryption implementations in order to prevent the weakness from being leveraged again.

What should we do?

If you think that the decryptor is something that could help your organisation, there’s a few things to consider.  The Security Research Labs GitHub page does provide good instruction on how to use the tools provided.  However, if you are going to try recovering systems, we advise that you do so in an isolated environment.  While virtual machines may have been encrypted at the hypervisor level it does not mean that the threat actor did not use them to gain access, or lay down persistence mechanisms, within your environment.  If you recover these systems, you may be allowing the threat actor to regain access.

For further assistance and to learn more, contact Quorum Cyber’s Incident Response Team on 0800 029 1305. Alternatively, for further Threat Intelligence on the Black Basta Ransomware group visit this link.