Graham Cluley
Computer security news, advice, and opinion
Free BlackByte decryptor released, after researchers say they found flaw in ransomware code
With so much bad news about ransomware in the headlines every day, it’s good to share some good news.
Security experts at Trustwave have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. That’s right – you don’t need to pay the ransom.
In a series of posts on their SpiderLabs blog, Trustwave’s Rodel Mendrez and Lloyd Macrohon explained that they uncovered an “odd” design decision in the BlackByte ransomware’s ncryption algorithm:
Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.
It’s not uncommon for ransomware gangs to claim that prior to their corporate victims’ data being encrypted it was stolen and will be sold to other online criminals if a ransom is not paid.
BlackByte is no different in this regard, and victims are directed towards a site on the dark web where it appears their data is being prepped for sale in an online auction.

However, according to the security researchers, the ransomware does not contain any functionality to exfiltrate data, and the claim may be being made simply to scare victims into paying.
Trustwave’s free BlackByte decryptor tool claims to take advantage of the ransomware’s design weakness and can be downloaded from GitHub.
Perhaps predictably, the BlackByte ransomware gang has responded to Trustwave’s release of the decryptor tool and has published a message on its website warning victims not to use it:

we have seen in some places that there is a decryption for our ransom. we would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.
Thanks to “SpiderLabs” aka ClownLabs, because of you many systems will be broken witout any chance to recovery.
How kind of the criminals who infected your computer and then attempted to extort money out of you to care so much for your data’s welfare. It should go without saying, but doesn’t, that you should back up your important data before running any decryption tool.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.
Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Your email address will not be published. Required fields are marked *

{{#message}}{{{message}}}{{/message}}{{^message}}Your submission failed. The server responded with {{status_text}} (code {{status_code}}). Please contact the developer of this form processor to improve this message. Learn more{{/message}}
{{#message}}{{{message}}}{{/message}}{{^message}}It appears your submission was successful. Even though the server responded OK, it is possible the submission was not processed. Please contact the developer of this form processor to improve this message. Learn more{{/message}}
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Winner: Best Security Podcast 2018, 2019
Nov 4 2021
A game about Squid Game pulls the rug under cryptocurrency investors in what appears to be a scam, PayPal hackers use a devious trick to break into 2FA-protected accounts, and have you received a job offer that’s too good to be true?
Special guest: Dr Jessica Barker.
Huge thanks to Darknet Diaries’ Jack Rhysider, F-Secure’s Mikko Hyppönen, The Cyberwire’s Dave Bittner, and Host Unknown’s Andrew Agnês, Thom Langford, and Javvad Malik for their special contributions to this episode.

Apple Podcasts | Google Podcasts | Spotify | RSS

Support the podcast:
Hire Graham Cluley to be a keynote speaker at your event or webinar
Send a tip or story idea | Hire Graham Cluley to speak at your event | Sponsorship | Contact | About
Complaints/Corrections | Privacy | Terms & Conditions
Copyright © 2001-2021 Cluley Associates Limited. All Rights Reserved.