[TheRecord] Free decrypter released for BlackByte ransomware victims

Cybersecurity firm Trustwave has released on Friday a free utility that victims of the BlackByte ransomware can use to decrypt and restore their files without paying the ransom demand.

Made available on GitHub, the decrypter exploits a design flaw in the ransomware’s encryption routine.

In a twopart technical analysis, Trustwave researchers said they discovered that the BlackByte encryption routine began after the group downloaded a fake image file named “forest.png” on all of its victims’ computers.

According to researchers, this file contained a “raw” cryptographic key that the ransomware would use to derive keys to encrypt the victim’s files and then generate an access key to grant the victim access to a dark web portal where they could negotiate and pay the attacker’s ransom.

Image: Trustwave

Trustwave researchers said this process was rather simplistic compared to the more complex and more secure encryption routines used by other gangs.

The decrypter they released on Friday automates the process of reading the raw key from the forest.png file, and then computing the decryption key needed to recover and restore the victim’s files.

A default “forest.png” file is included with the decrypter, but victims are advised to replace this file with the one found on their own systems.

BlackByte gang responds to researchers

The release of the decrypter did not go unnoticed by the ransomware gang. On Monday, the group posted a message on their dark web portal, trying to scare victims from using the decrypter.

Their response is valid and warns companies about using the decrypter with the wrong key (forest.png file), which would result in victims corrupting their files.

We would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk. 

BlackByte gang

Image: The Record

But while the decrypter will help past victims, its release also means that the BlackByte gang also learned of the flaw in its encryption routine and will most likely fix it — something that has happened before with other decrypters released to the general public without taking down the ransomware gang’s operations.

However, the fact that researchers found such a major flaw in the BlackByte ransomware encryption routine is not a surprise since this is a relatively new group, bound to have many bugs in its code.

First spotted three weeks ago, at the end of September, the gang has had limited activity and its dark web leak site, where the group lists victims who refused to pay the ransom demand, only lists eight entries so far.

Leak site for new BlackByte ransomware pic.twitter.com/JGJRBJkpPC

— Catalin Cimpanu (@campuscodi) September 28, 2021

The post Free decrypter released for BlackByte ransomware victims appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SANS ISC] October 2021 Contest: Forensic Challenge, (Fri, Oct 22nd)

All posts, Sans-ISC

Introduction Today’s diary is a forensic challenge for October 2021.  The files are here.  This month’s challenge is based on a packet capture (pcap) of an Active Directory (AD) environment with three Windows clients that become infected.  Each infection is based on an email, and the three emails that caused these infections are also provided.  […]

Read More

[TheRecord] White House to federal agencies: Step up your endpoint monitoring

Federal agencies will be required to give the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency (CISA) details about how they gather and analyze threat-related information from their computer workstations and other endpoints, something known as endpoint detection and response, or EDR. In a memo released late Friday, OMB Director Shalanda […]

Read More

[SANS ISC] Video: Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)

All posts, Sans-ISC

I did record a video for my diary entry “Strings Analysis: VBA & Excel4 Maldoc“, showing how to use CyberChef to analyze a maldoc. If you are intested in CyberChef, I have more CyberChefs videos here.   Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 […]

Read More