SRLabs develops Black Basta ransomware decryptor

Researchers released a decryptor to help the numerous victims of one of 2023’s most prolific double-extortion ransomware gangs, Black Basta, restore their compromised files for free.

Black Basta is believed to have attacked well over 300 organizations since it was first observed in early 2022, making it one of the top most active malware strains by victim count over that period.

The gang is believed to have raked in at least $107 million in ransom payments from over 90 victims.

Black Basta’s rapid ascension in the cybercriminal ranks caught the interest of researchers, including consultancy Security Research Labs (SRLabs) which has developed and published on GitHub a suite of tools it calls “Black Basta Buster.”

The tools enable security teams to analyze files encrypted by the gang to determine if they are recoverable. If they are, other tools in the suite assist with the decryption process.

“We looked into the encryption algorithm and have found a particular weakness for the ransomware strain used by Black Basta ransomware around April 2023,” SRLabs said.

What Black Basta did wrong in its ransomware

SRLabs’ GitHub documentation explains that Black Basta’s ransomware uses a ChaCha keystream that XORs 64-byte-long chunks of the files it encrypts.

“The keystream, however, is not advanced properly and the same 64 bytes are used for XORing all the blocks to be encrypted,” the researchers said.

If the plaintext of 64 encrypted bytes of a file is known, decryption may be possible, although “the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware's logic of determining which parts of the file to encrypt.”

The good news: “For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images.”

The not-quite-so-good news: “Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Researchers regularly develop decryptors after discovering flaws in threat actors’ malware. Victims’ success in recovering lost data using decyptors can vary depending on the circumstances.

An unfortunate downside of decryptors being published is that it alerts ransomware gangs to the need to upgrade their encryption techniques, potentially making it harder for future victims to retrieve compromised files.

2023: Black Basta’s big year

As a double-extortion malware gang, Black Basta specializes in exfiltrating sensitive data from victims before encrypting their networks and threatening to publish the stolen information if a ransom isn’t paid.

Black Basta is widely believed to be an offshoot of another prolific ransomware operator, the Conti Group, which disbanded in 2022. Its victims in 2023 included Swiss technology giant ABB, British outsourcing company Capita, and Dish Network.

The gang’s ransomware was commonly deployed using Qakbot malware. Qakbot’s botnet was taken down by authorities last August, although the malware resurfaced in December.

Researchers believe the Qakbot takedown could explain a marked reduction in Black Basta attacks during the second half of 2023. They didn’t stop completely, however, with the gang’s victims in the later part of the year including major TV advertising sales and technology firm Ampersand, and Toronto Public Library, Canada's largest public library system.