Researchers at cybersecurity firm Security Research Labs exploited a flaw found in the algorithm of a ransomware variant used by the high-profile threat group Black Basta to develop a decryptor that can help some victims recover their encrypted files.

SRLabs last week rolled out a suite of tools on GitHub that Black Basta victims can use for free to determine if their files are recoverable and, if they are, decrypt them.

However, they could have limited use, with reports indicating that the prolific cybercriminals already have fix the problem in their encryption methods. SRLabs’ tools allow for Black Basta victims between November 2022 through December 2023 to possibly recover their data. However, the group’s fix means that the tools won’t work for organizations that are targets of newer attacks.

SRLabs researchers wrote that they discovered the weakness in the encryption algorithm in a ransomware strain that Black Basta started using around April 2023. However, there are limitations on which older victims will be able to use the tools.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known,” they wrote. “Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Plaintext is the Key

What’s important is knowing the plaintext of 64 encrypted bytes of the file, they wrote. Knowing 64 bytes isn’t enough because the known plaintext byes need to in a place in the file that can be encrypted based on the logic used by the malware to determine which parts of the file to encrypt.

“For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images,” they wrote.

The tools SRLabs made available on GitHub help organizations analyze encrypted files to determine if they can be decrypted. As an example, the researchers wrote that the “decryptauto” tool could recover files containing zero bytes. Looking at how many times the files were encrypted and to what extent, a manual review is needed to fully recover a file.

The encryption algorithm used by the ransomware creates a 64-byte “chunk” of the file, XORing the data via a 64-byte keystream, they wrote. The position of these encrypted blocks is based on the size of the file and – depending on the file size – the ransomware will encrypt the first 5,000 bytes.

“The keystream, however, is not advanced properly and the same 64 bytes are used for XORing all the blocks to be encrypted,” the researchers wrote. “This can be observed particularly well when looking at encrypted zero-bytes. Those encrypted zero-bytes show the very same pattern. Taking such encrypted zero-bytes and using them to XOR the encrypted chunks allow for a nearly full recovery of the file.”

It’s conditional, however. The keystream is used correctly for the first 5,000 bytes of the file, based on its size. This means those bytes – except for the very first 64 bytes – will be lost. That said, virtualized disk images that have large zero-byte blocks of data have a better chance of being recovered. For those that don’t, SRLabs’ tools could recover files that have an older version with similar data.

Black Basta on a Tear

The decryptor tool came less than a month after a report by blockchain analytics company Elliptic and cyber-insurance firm Corvus said that since early 2022, Black Basta had racked up at least $107 million in ransom payments made in Bitcoin, becoming the fourth-largest ransomware strain based on the number of victims over the past two years.

At the same time, governments and many within the cybersecurity industry are trying to develop ways to stem the growing tide of ransomware attacks, with researchers with cybersecurity firm EmsiSoft calling this week for a ban on ransom payments.

“The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments,” they wrote in a report. “Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.”