Poor Encryption Trips Up Black Basta Ransomware

And, so, at the end of December 2023, Security Research Labs released a decryptor for the Black Basta ransomware [here]. How could this happen? Well, the solution focuses on the usage of stream encryption to encrypt the files. Within any stream encryption method, it is possible to flip bits in a file if you know the original version of the content. For example, let’s say we have “abc” (01100001 01100010 01100011), and a key of 0000 1010 1100 1010 1110 1111. Thus to encrypt, we create a key stream and the EXOR with the content to give:

0110 0001 0110 0010 0110 0011 abc
0000 1010 1100 1010 1110 1111 [keystream]
-----------------------------
0110 1011 1010 1000 1000 1100 [ciphertext]

But if we know that the content was “abc”, then we can recover the key by taking the cipher stream and XOR’ing it with the data:

0110 0001 0110 0010 0110 0011 [ciphertext]
0110 1011 1010 1000 1000 1100 abc
-----------------------------
0000 1010 1100 1010 1110 1111 [keystream}

We have thus recovered the key. The decryptor takes the same approach with this and discovers the key stream for ChaCha20 for a 64-byte sample, as this is the block size for the encryptor. Each 64-byte key stream element is then used to XOR with the 64 bytes from files. In most cases, we would not be able to use the same key stream for…