Free BlackByte decryptor released, after researchers say they found flaw in ransomware code

Graham Cluley
Graham Cluley
@[email protected]

Free BlackByte decryptor released, after researchers say they found flaw in ransomware code

With so much bad news about ransomware in the headlines every day, it’s good to share some good news.

Security experts at Trustwave have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. That’s right – you don’t need to pay the ransom.

In a series of posts on their SpiderLabs blog, Trustwave’s Rodel Mendrez and Lloyd Macrohon explained that they uncovered an “odd” design decision in the BlackByte ransomware’s ncryption algorithm:

Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.

It’s not uncommon for ransomware gangs to claim that prior to their corporate victims’ data being encrypted it was stolen and will be sold to other online criminals if a ransom is not paid.

Sign up to our free newsletter.
Security news, advice, and tips.

BlackByte is no different in this regard, and victims are directed towards a site on the dark web where it appears their data is being prepped for sale in an online auction.

Blackbyte auction site

However, according to the security researchers, the ransomware does not contain any functionality to exfiltrate data, and the claim may be being made simply to scare victims into paying.

Trustwave’s free BlackByte decryptor tool claims to take advantage of the ransomware’s design weakness and can be downloaded from GitHub.

Perhaps predictably, the BlackByte ransomware gang has responded to Trustwave’s release of the decryptor tool and has published a message on its website warning victims not to use it:

Blackbyte blog

we have seen in some places that there is a decryption for our ransom. we would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.

Thanks to “SpiderLabs” aka ClownLabs, because of you many systems will be broken witout any chance to recovery.

How kind of the criminals who infected your computer and then attempted to extort money out of you to care so much for your data’s welfare. It should go without saying, but doesn’t, that you should back up your important data before running any decryption tool.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.