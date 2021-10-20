Trustwave security experts this week released a tool that promises to release the locked data on the machines of victims of the Blackbyte ransomware gang. The software was created from an analysis of the plague used by the group in its attacks, which led to the discovery of encryption keys repeated in different scams, allowing the creation of a solution that would work in different cases without a ransom needing to be paid. Atento telemarketing company suffers ransomware attack

Ransomware, the parasite of Digital Transformation The old known ransomware and the paths to the solution Blackbyte’s case is different from most of the more sophisticated ransomware bands, which use unique keys for each victim or device — in some cases, even individual files are locked uniquely. This data is also encrypted and placed on the ransom note, while the key that unlocks everything is in the criminals’ possession, to be handed over and applied after payment verification. The gang, however, was using a command and control server, which downloaded a file and repeated credentials in multiple hits. The secret was in a file called forest.jpg, disguised as an image but containing the device lock and release keys. This data itself was also encrypted, but Trustwave was able to reverse the situation and create the tool that releases victims’ files, now available online and available to security experts, network administrators and those affected themselves, who can recover the data locked by the action of the gang. Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news in the tech world for you! The gang has been relatively recent, starting its attacks against victims of the corporate market in July 2021. Once installed, the ransomware moves laterally, looking for new vulnerable devices, and attempts to disable security features, particularly associated with Microsoft Defender, before starting to lock files. According to Bleeping Computer, attacks are sporadic, always targeting large organizations and leading to high-value ransom requests. Blackbyte ransomware note, which warned victims that using wrong encryption keys from unlock tool can lead to permanent file crash (Image: Playback /Bleeping Computer)

The group’s response came on a cybercrime forum and was reported by Trustwave itself. Blackbyte denied that it used a single key to lock all its victims’ files and warned them against using the unlock tool, claiming that trying to do so with the wrong credentials could lead to data being rendered useless, even in the event of a ransom payment be done later, to obtain the direct form of release.

Because of this, the recommendation is for victims to back up the information, even if it is encrypted, before trying to use the software, which is available on Github. In addition, experts indicate that users can try to replace the default forest.jpg file, included in the solution, with one available on the machine itself along with the ransom note, if the cryptographic key effectively differs between different group attacks.

In addition, the warning given to criminals also indicates that, soon, a new version of Blackbyte should start to emerge, with changes in the encryption in a way to render the Trustwave tool useless. As such, standard security recommendations continue to apply, such as paying attention to scams involving phishing via email or messaging apps, as well as using security and threat intelligence solutions to detect intrusions.

Source: Trustwave, Bleeping Computer