Free Decryptor Released for BlackByte Ransomware
Trustwave’s SpiderLabs security researchers have released a free decryptor that victims of the BlackByte ransomware can use to restore their files.
BlackByte uses a raw key and the Advanced Encryption Standard (AES) to encrypt a victim’s files, meaning that anyone in the possession of the raw key would be able to decrypt the data.
The ransomware fetches a .PNG file that contains multiple keys, which Trustwave researchers used to create the decryptor. The free tool is available on GitHub.
Analysis of the malware also revealed that it avoids infecting systems with Russian and ex-USSR languages, that it has worm-like capabilities, and it crashes if the encryption key download fails.
BlackByte was observed preparing the target system before starting the encryption, to make sure that the process isn’t interrupted. It also checks the system language to make sure it doesn’t hit victims in specific geographies.
The malware ensures that the system won’t go to sleep during encryption, and then removes specific applications that can prevent encryption. It also kills processes that might interfere with the operation and, if it finds the Raccine anti-ransomware utility, it uninstalls it from the system.
Furthermore, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, enables the SMB1 protocol, and grants full access to target drives to anyone.
The malware is also able to enumerate hostnames in the domain from Active Directory, pings the identified ones to ensure they are alive, and then attempts to copy and execute itself on the hosts, Trustwave says.
The ransom note dropped by the malware suggests that the attackers have also stolen data from the victim, but the researchers determined that it does not have any exfiltration functionality. “So this claim is probably designed to scare their victims into complying,” the researchers explain.