Security Research Labs (Srlabs) Develops Decoder for Black Basta Encryption Vulnerability
Specialists at Security Research Labs (Srlabs) have successfully created a decoder that exploits a vulnerability in the encryption algorithm used by the Black Basta program, allowing victims to restore their encrypted files. The decoder, known as Black Basta Buster, is capable of restoring files encrypted between November 2022 and the present.
However, Black Basta developers have recently addressed and fixed this vulnerability, rendering the decryption technique ineffective against newer attacks. This development has ensured increased security against the malware.
The vulnerability lies in the use of the standard XChacha20 cipher for encryption. The developers of Black Basta made an error by reusing the same key during encryption, resulting in the transformation of all 64-byte data consisting of zeros into a 64-byte symmetric key. This allowed the specialists at Srlabs to extract the key and use it to decrypt the entire file.
Black Basta Buster is comprised of a collection of Python scripts designed to aid in the decoding of files under various scenarios. It should be noted, however, that the decoder is only compatible with versions of Black Basta encrypted between November 2022 and the recent past. Additionally, files encrypted with the “.basta” extension are not compatible with the decryption tool.
The effectiveness of Black Basta Buster has been officially confirmed, but it is important to highlight that the decoder can only decrypt one file at a time, which may complicate the recovery process for a large volume of encrypted data.
For successful restoration, the decrypted data of 64 bytes must be known. The speed and completeness of file recovery depend on the file size. Files smaller than 5,000 bytes cannot be fully restored. However, complete recovery is possible for files ranging from 5,000 bytes to 1 GB. For files larger than 1 GB, the first 5,000 bytes will be lost, but the remaining portion can still be recovered.
Although decrypting smaller files may be challenging, larger files such as virtual car models can generally be decrypted due to the presence of multiple “zero” sections within them.