Trustwave’s SpiderLabs researchers have released a code that allows victims of the BlackByte ransomware to restore their files for available.While investigating a recent malware incident, the experts discovered the BlackByte ransomware. The ransomware was created to avoid infecting systems that primarily use Russian or related languages.
Trustwave analysed that,
“Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.”
We thought that this ransomware was not only interesting but also quite odd:
- Same as other notorious ransomware variants like REvil, BlackByte also avoids systems with Russian and ex-USSR languages.
- It has a worm functionality similar to RYUK ransomware.
- It creates a wake-on-LAN magic packet and sends it to the target host – making sure they are alive when infecting them.
- The author hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.
- The author lets the program crash if it fails to download the encryption key.
- The RSA public key embedded in the body is only used once, to encrypt the raw key to display in the ransom note – that’s it.
- The ransomware uses only one symmetric key to encrypt the files.
To decrypt a file, all that is required is to download the raw key from the host. We can use the same key to decode the encrypted files as long as the.PNG file it downloaded remains the same.
So, we wrote a file decryptor that is available at this link: https://github.com/SpiderLabs/BlackByteDecryptor
BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, and enables the SMB1 protocol to prevent victims from recovering encrypted files.
It denotes the registry key:
|HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options|
And then deletes the following subkeys:
The good news is that the decryptor is now available; Trustwave made it available for free on GitHub.