With so much bad news about ransomware in the headlines every day, it’s good to share some good news.
Security experts at Trustwave have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. That’s right – you don’t need to pay the ransom.
In a series of posts on their SpiderLabs blog, Trustwave’s Rodel Mendrez and Lloyd Macrohon explained that they uncovered an “odd” design decision in the BlackByte ransomware’s ncryption algorithm:
Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.
It’s not uncommon for ransomware gangs to claim that prior to their corporate victims’ data being encrypted it was stolen and will be sold to other online criminals if a ransom is not paid.
BlackByte is no different in this regard, and victims are directed towards a site on the dark web where it appears their data is being prepped for sale in an online auction.
However, according to the security researchers, the ransomware does not contain any functionality to exfiltrate data, and the claim may be being made simply to scare victims into paying.
Trustwave’s free BlackByte decryptor tool claims to take advantage of the ransomware’s design weakness and can be downloaded from GitHub.
Perhaps predictably, the BlackByte ransomware gang has responded to Trustwave’s release of the decryptor tool and has published a message on its website warning victims not to use it:
we have seen in some places that there is a decryption for our ransom. we would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.
Thanks to “SpiderLabs” aka ClownLabs, because of you many systems will be broken witout any chance to recovery.
How kind of the criminals who infected your computer and then attempted to extort money out of you to care so much for your data’s welfare. It should go without saying, but doesn’t, that you should back up your important data before running any decryption tool.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.