- A decryptor for the Blackbyte ransomware strain was released by Trustware cybersecurity.
- The Blackbyte group warns victims that using the wrong decryption might corrupt locked files.
- So far, only eight targets have refused paying the Blackbyte ransom amount.
Trustware, a cybersecurity company, put up a free decryptor for BlackByte on GitHub. This decryptor can be used by victims of the BlackByte ransomware to decrypt and restore files without having to pay the ransom money. This decryptor uses a design flaw in the ransomware’s encryption protocol to unlock stored files.
Trustware also released a two-part technical analysis explaining how they discovered the design flaw. The ransomware got into action on all targeted devices after the group downloaded a fake image file titled “forest.png.” When they looked into this file, they found a “raw” cryptographic key used to derive files encryption keys used by the ransomware. This keyset also generated the access key, which would give access to the dark web portal where the victims could make the payment to free their files.
The tool automatically decrypts the key on any infected ”forest.png” image. The decryptor itself contains a “forest.png” file, which should be replaced by the infected image used by the ransomware as mentioned above.
The hacker group behind the BlackByte ransomware responded to the decryptor by saying that using the wrong key might delete or corrupt the locked data. They also mentioned that they do not use only one key, and using the wrong version can even break entire operating systems without the possibility of restoration.
Further, now that the Blackbyte group knows of the flaw in the design, they are very likely to fix it. So, when a new version of the Blackbyte ransomware enters the market, the old decryptors will become obsolete. Also, since the Blackbyte group is a relatively new one, Trustware researchers speculate they might find numerous other bugs that will break the code even if this exploit is fixed.
The fact that this flaw was discovered three weeks ago (in September) and the Blackbyte gang has had eight targets who have refused to pay might indicate increasing resistance from potential victims. In the Netherlands, the government is planning to develop a new legal context that will basically outlaw ransom payments, so maybe other countries will contemplate the idea as well.