Menu
On Thursday 15th of October 2021, a free decryptor for the BlackByte ransomware and a SpiderLabs blog detailing the process of decrypting the ransomware was released to the public to allow past victims to recover their files for free.
Researchers had found that the ransomware was downloading an image file called ‘forest.png’ from a remote malicious site under the control of the ransomware gang. It was discovered that the AES encryption key used to encrypt the compromised machines were stored in the image file. Therefore, the same key can used to encrypt and decrypt files. The company, Trustwave had found out that the ransomware gang had been reusing the same forest.png file for multiple victims, so using the forest.png file, they were able to build a decryptor that recovers a victim’s files for free.
However, the decryptor has been noticed by the ransomware gang who warned that they have used more than one key and that if the decryptor used with the wrong key can led to the corruption of victims’ files.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
