Chaos Communication Congress

Unlocked! Recovering files taken hostage by ransomware (37x23)

Date de diffusion: Déc 27, 2023

We present an analysis and recovery method for files encrypted by Black Basta, the "second most used ransomware in Germany". We analysed the behaviour of a ransomware encryptor and found that the malware uses their keystream wrongly, rendering the encryption vulnerable to a known-plaintext attack which allows for recovering affected files. We confirmed the finding by implementing tools for recovering encrypted files.