Previous cyberattack victims of known ransomware BlackByte can rejoice since a free decryptor has been released to the public. If the decryptor is executed, ransomware will generate an original encryption key per file or a key per machine called session keys utilized to encrypt a target’s device.
These keys are then encrypted with a public Rivest–Shamir–Adleman key and attached to the end of an encrypted ransom note. This encrypted key can only be decrypted by the private decryption key owned only by the ransomware operators. The purpose of having an encrypted key is for the threat actor to release the stolen data if a victim pays the agreed ransom amount.
What caused the discovery of BlackByte Ransomware’s encryption keys?
According to researchers, the ransomware was downloading a file labeled as ‘forest.png’ from a faraway site under their supervision. While this file is labeled as an image file, it holds the AES encryption key used to encrypt a device.
When BlackByte uses AES symmetrical encryption, a similar key is also used for both the decryption and encryption of specific files.
The researchers also discovered that the ransomware gang was recycling the same forest[.]png file for multiple victims while BlackByte also encrypts the downloaded AES encryption key and adds it to the ransom note.
Since the threat actors were reusing the same encryption key, the researchers could also use that same key to build a decryptor that recovers and retrieves a victim’s file for free.
Unfortunately, there are always some setbacks when free decryptors are opened to the public. The ransomware gang can be notified of this flaw in their system and eventually fix their vulnerability.
The ransomware gang already noticed the researcher’s efforts in releasing the decryptor to the public for free, but the threat actors warned the researchers that they had utilized more than one key. Therefore, if the decryptor with the wrong key is used for the wrong corresponding file, it might corrupt the victim’s data.
Researchers suggest that if the victim uses their decryptor, they will need to download the source code and compile it themselves.
While the researcher has included a default forest[.]png file that can be utilized to extract the decryption key, it might be possible for the ransomware group to rotate the encryption keys downloading inside that file. Therefore, it is highly advised that victims should back up their files before attempting to decrypt them.
