Poor Encryption Trips Up Black Basta Ransomware

And, so, at the end of December 2023, Security Research Labs released a decryptor for the Black Basta ransomware [here]. How could this…

Poor Encryption Trips Up Black Basta Ransomware

And, so, at the end of December 2023, Security Research Labs released a decryptor for the Black Basta ransomware [here]. How could this happen? Well, the solution focuses on the usage of stream encryption to encrypt the files. Within any stream encryption method, it is possible to flip bits in a file if you know the original version of the content. For example, let’s say we have “abc” (01100001 01100010 01100011), and a key of 0000 1010 1100 1010 1110 1111. Thus to encrypt, we create a key stream and the EXOR with the content to give:

0110 0001 0110 0010 0110 0011 abc
0000 1010 1100 1010 1110 1111 [keystream]
-----------------------------
0110 1011 1010 1000 1000 1100 [ciphertext]

But if we know that the content was “abc”, then we can recover the key by taking the cipher stream and XOR’ing it with the data:

0110 0001 0110 0010 0110 0011 [ciphertext]
0110 1011 1010 1000 1000 1100 abc
-----------------------------
0000 1010 1100 1010 1110 1111 [keystream}

We have thus recovered the key. The decryptor takes the same approach with this and discovers the key stream for ChaCha20 for a 64-byte sample, as this is the block size for the encryptor. Each 64-byte key stream element is then used to XOR with the 64 bytes from files. In most cases, we would not be able to use the same key stream for different files, as a new salt value is used, but this is not the case with the Black Basta ransomware.

To decrypt the randomware, we need to know the 64-bytes with a file, and locate the 64 bytes for the associated ciphertext. Otherwise it is possible to find areas of zero bytes (which can happen in some files). With this, the we can align with the key, we will reveal the actual key stream:

0000 0000 0000 0000 0000 0000 Zero
0000 1010 1100 1010 1110 1111 [keystream]
-----------------------------
0000 1010 1100 1010 1110 1111 [keystream]

This is known as a Known Plaintext Attack (KPA), and where we just EXOR the known data with the ciphertext:

When using VMWare virtualised disk (with a VMDK extension), the finding of the zero areas can be fairly easy to find:

You can find our more about ChaCha20 key stream generation here:

https://asecuritysite.com/chacha20/