How flipping an ordinary coin saved people from a ransomware program

Published: 2024-01-15

Let’s flip a coin. The light side comes out

The morning starts as usual: the standard routine is scrolling through the news and coffee. Laughing at the unfortunate jokes of your competitors, you prepare for a new day full of sensations, anticipating your success. Suddenly, you decide to flip a coin.

The dark side comes out

When you open your device, you are met with a strange sight: files encrypted, except for one unnecessary folder with photos from 10 years ago, and a complete feeling that you are now trapped in a place behind the wall where every moment is expensive.

All because a pop-up window or readme.txt file appears on your desktop that has something like this: “Your files have been encrypted and are now inaccessible. You will lose all your information on this date unless you pay this amount of bitcoins.” There may also be such a note: “IMPORTANT! All your files are encrypted with RSA-2048 and AES-256 algorithms”

Let’s flip a coin again

You may believe to the last minute that extortionists are bandits from the city’s disadvantaged neighborhoods who suddenly jumped out from around the corner. However, it is unlikely that the bandits who suddenly showed their faces out from behind the corner will be useful from plastic cards or from a piece of green paper with the address of your electronic wallet.

You can completely give up all gadgets, along with all your Facebook friends, Christmas cards from Aunt Rosie, who loves you very much, and just the fans who keep you up at night with voluptuous voice messages.

You may never open emails and messages from unknown senders. But sometimes it’s so hard to avoid temptation because the message text is so skillfully crafted and the header contains a request for help and your name. So, you believe that the author of the doubtful message has written the truth.

You can remember to update the system the next time. And who else but the system would voluntarily remember to update it? And who even knows what’s the idea of the system?

Let’s flip a coin for the third time. The dark side

When this moment happens in your life, you have fallen victim to a ransomware program.

Ransomware infiltrates your computer, encrypts files, creates blocked access to them, and then demands an online payment to decrypt them. It is one of the most brazen forms of cyber extortion, and in some cases, actual blackmail.

Most ransomware is spread through phishing. You receive an email that looks like someone you know wrote it to you, so you have a strong motivation to open the mail. In many big companies all over the world the employees are forbidden to open anonymous emails.

Another popular method of malware creation is the use of social networks and messengers. For example, criminals can use Neural Networks and send a message on Facebook Messenger with a graphic attachment with an extension.

Unprotected websites and unprotected web servers are another attack vector in demand among cybercriminals. Attackers look for web sites, such as online casinos where people are looking for fortune and play roulette, with vulnerabilities and insert malicious scripts to spread ransomware directly to other people’s web pages.

That would be the end of it. But let’s flip a coin for the last time. Once again, the dark side.

Once upon a time, faceless people in black robes actually created an encryption algorithm for a ransomware program and called it Black Basta Buster. Everything was genius, both in the name and in the algorithm. This program product is notable for not being able to bypass Windows account control, but it was created professionally and works in the classic style.

It is also notable that encryption requires administrator permission,
otherwise, the malware will fail. Once granted, it hijacks one
of the Windows system services and uses it to run the encryptor.
This system primarily deletes shadow copies of Windows,
changing the desktop wallpaper.

We’ll leave it at that for now. But keep on flipping a coin.

Every event in our lives has a light side and a dark side, just like every invention. The fact that we live in the age of gadgets and have the ability to communicate with the whole world is definitely the,  light side. The fact that technology does not stand still and crimes are becoming more sophisticated is the
dark side. But if ransomware is the dark side, what is the light side?

Let’s flip a coin again. The light side.

The light side is the realization that behind any invention, is behind any technology, there are people who
also have a light and dark side. It is this realization that Security Research Labs took advantage of. They created a decrypter that exploits a vulnerability in the Black Basta ransomware encryption algorithm and allows victims to recover their files and to work the problem out for free.

The Black Basta developers’ mistake was to reuse the same key stream during encryption, as a result of which all 64-byte data fragments containing only zeros were converted into a 64-byte symmetric key, allowing specialists to extract the key and use it to decrypt the entire file.

However, it is important to note that the decryptor only works
with files encrypted with versions of Black Basta from November
2022 until recently. In addition, versions of the program that added the “.basta” extension to encrypted files are not decryptable with the tool.

Light side

In publishing this article, we were not trying to be a judge or a mentor, urging you to be more careful about the inner workings of your device and to treat digital security as you would treat your personal hygiene. We wanted to show you that in the digital world, there are light and dark sides to every phenomenon, with ordinary people behind them. You just have to learn to recognize it.

Let’s flip a coin

Security Research Labs Independent security research group
Level of innovation:
You shouldn’t tell the Internet the things one shouldn’t know
Real-world usefulness:
You won’t have to pay extortionists
This decryption technology can’t be used in replay attacks. But the hope is that the light side of the coin will fall out more often
Cost to the consumer:
Faith in the light side
As Master Yoda would say:
“The dark side is not so much stronger as it is more seductive.”

Similar articles | Technologies