Trustwave has released a free decryptor for the BlackByte ransomware victims to recover their files for free.
Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key to encrypt files and it uses the symmetric-key algorithm AES. Anyone that could access the raw key would be able to decrypt the files.
The experts noticed that the ransomware fetches a .PNG file that embeds multiple keys and which is the same for all the victims. The researchers analyzed it to create a free decryptor.
“Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.” reads the analysis published by Trustwave.
Trustwave’s report and decryptor did not go unnoticed by the ransomware gang, who warned that they have used more than one key and that utilizing the decryptor with the wrong key would corrupt a victim’s files.
“we have seen in some places that there is a decryption for our ransom. we would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.” – BlackByte.
If you are a BlackByte victim and want to use Trustwave’s decryptor, you will need to download the source code from Github and compile it yourself.
