Victims of BlackByte ransomware can now recover files for free after release of decryptor

News / Victims of BlackByte ransomware can now recover files for free after release of decryptor

Victims of BlackByte ransomware can now recover files for free after release of decryptor

Researchers at Trustwave have managed to release a free decryptor for BlackByte ransomware, allowing past victims to recover their files. 

Many variants of ransomware will use encryption to steal files or make systems inoperable, requiring the ransom to be paid which may enable the release of the encryption key. 

However, researchers at Trustwave have explained in a recent report that the BlackByte ransomware downloaded a file called ‘forest.png’ which, although would appear to be an image file, actually contains the encryption key used by the threat actors.  

BlackByte uses AES symmetrical encryption which means the same key is used for both encryption and decryption. It was also discovered that the same ‘forest.png’ file was reused for multiple victims. 

As a result, Trustwave could then build a decryptor based on this raw encryption key which could then be distributed online so that victims could recover their files for free. 

BlackByte victims wishing to attempt to use this decryptor have, however, been warned by the threat actors themselves using this method could result in permanent corruption of files and your system.  

This is seen as one of the issues of public releasing free decryptors such as this. Ransomware gangs can be alerted to their existence as well as the bugs in their programs which allow the decryptors to be made and can then fix them. BlackByte also said that they do not use only one key.  

“We have seen in some places that there is a decryption for our ransom. We would not recommend you to use that, because we do not use only 1 key. If you will use the wrong decryption for your system you may break everything, and you won’t be able to restore your system again. We just want to warn you, if you do decide to use that, it’s at your own risk,” said the gang. 

Trustwave’s decryptor is available on Github but users will need to compile the source code themselves.  

The ‘forest.png’ file is included in the folder which includes the encryption key, but Trustwave warns that the key may have been rotated. If you already have a ‘forest.png’ file on your device you should use that one instead. 

Creating a backup of files is also strongly advised before attempting to decrypt them. 

BlackByte background  

BlackByte is a form of ransomware that began targeting victims in July.

The malware ensures the targeted system won’t go to sleep during encryption and will remove specific applications that can prevent encryption. It will also attempt to uninstall anti-ransomware programs. BlackByte will also delete shadow copies and Windows restore points, delete the recycle bin and grant full access to target drives.  

Analysis of the ransomware has found that it attempts to avoid infecting systems that primarily use Russian or related languages. 

BlackByte may not be as common as other types of ransomware but they have successfully carried out many attacks worldwide and are still a noteworthy threat.

How secure is

your business?

Security test
How secure is

your business?

Security test