[TheRecord] Free decrypter released for BlackByte ransomware victims

Cybersecurity firm Trustwave has released on Friday a free utility that victims of the BlackByte ransomware can use to decrypt and restore their files without paying the ransom demand.

Made available on GitHub, the decrypter exploits a design flaw in the ransomware’s encryption routine.

In a twopart technical analysis, Trustwave researchers said they discovered that the BlackByte encryption routine began after the group downloaded a fake image file named “forest.png” on all of its victims’ computers.

According to researchers, this file contained a “raw” cryptographic key that the ransomware would use to derive keys to encrypt the victim’s files and then generate an access key to grant the victim access to a dark web portal where they could negotiate and pay the attacker’s ransom.

Image: Trustwave

Trustwave researchers said this process was rather simplistic compared to the more complex and more secure encryption routines used by other gangs.

The decrypter they released on Friday automates the process of reading the raw key from the forest.png file, and then computing the decryption key needed to recover and restore the victim’s files.

A default “forest.png” file is included with the decrypter, but victims are advised to replace this file with the one found on their own systems.

BlackByte gang responds to researchers

The release of the decrypter did not go unnoticed by the ransomware gang. On Monday, the group posted a message on their dark web portal, trying to scare victims from using the decrypter.

Their response is valid and warns companies about using the decrypter with the wrong key (forest.png file), which would result in victims corrupting their files.

We would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk. 

BlackByte gang

Image: The Record

But while the decrypter will help past victims, its release also means that the BlackByte gang also learned of the flaw in its encryption routine and will most likely fix it — something that has happened before with other decrypters released to the general public without taking down the ransomware gang’s operations.

However, the fact that researchers found such a major flaw in the BlackByte ransomware encryption routine is not a surprise since this is a relatively new group, bound to have many bugs in its code.

First spotted three weeks ago, at the end of September, the gang has had limited activity and its dark web leak site, where the group lists victims who refused to pay the ransom demand, only lists eight entries so far.

Leak site for new BlackByte ransomware pic.twitter.com/JGJRBJkpPC

— Catalin Cimpanu (@campuscodi) September 28, 2021

The post Free decrypter released for BlackByte ransomware victims appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-06-04

Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’ www.zdnet.com/article/ciscos-warning-critical-flaw-in-ios-routers-allows-complete-system-compromise/ Most severe vulns are remote code execution by unauthenticated attackers. French CERT (ANSSI) releases Active Directory Security Assessment Checklist www.cert.ssi.gouv.fr/uploads/guide-ad.html U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/ A U.S. military contractor involved in the maintenance of the country’s Minuteman III […]

Read More

[ZDNet] Mozilla adding multi-account containers to VPN offering

All posts, ZDNet

Mozilla VPN 2.7 will bring into the platform one of Firefox’s most popular add-ons. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] Large-Scale Phishing-as-a-Service Operation Exposed

All posts, ThreatPost

Discovery of BulletProofLink—which provides phishing kits, email templates, hosting and other tools—sheds light on how wannabe cybercriminals can get into the business. Source: Read More (Threatpost)

Read More