Free BlackByte decryptor released, after researchers say they found flaw in ransomware code

Free BlackByte decryptor released, after researchers say they found flaw in ransomware code

Free BlackByte decryptor released, after researchers say they found flaw in ransomware code

With so much bad news about ransomware in the headlines every day, it’s good to share some good news.

Security experts at Trustwave have released a free decryption tool that can be used by BlackByte ransomware victims to decrypt and recover their files. That’s right – you don’t need to pay the ransom.

In a series of posts on their SpiderLabs blog, Trustwave’s Rodel Mendrez and Lloyd Macrohon explained that they uncovered an “odd” design decision in the BlackByte ransomware’s ncryption algorithm:

Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.

It’s not uncommon for ransomware gangs to claim that prior to their corporate victims’ data being encrypted it was stolen and will be sold to other online criminals if a ransom is not paid.

EmailSign up to our newsletter
Security news, advice, and tips.

BlackByte is no different in this regard, and victims are directed towards a site on the dark web where it appears their data is being prepped for sale in an online auction.

Blackbyte auction site

However, according to the security researchers, the ransomware does not contain any functionality to exfiltrate data, and the claim may be being made simply to scare victims into paying.

Trustwave’s free BlackByte decryptor tool claims to take advantage of the ransomware’s design weakness and can be downloaded from GitHub.

Perhaps predictably, the BlackByte ransomware gang has responded to Trustwave’s release of the decryptor tool and has published a message on its website warning victims not to use it:

Blackbyte blog

we have seen in some places that there is a decryption for our ransom. we would not recommend you to use that. because we do not use only 1 key. if you will use the wrong decryption for your system you may break everything, and you wont be able to restore your system again.we just want to warn you, if you do decide to use that, its at your own risk.

Thanks to “SpiderLabs” aka ClownLabs, because of you many systems will be broken witout any chance to recovery.

How kind of the criminals who infected your computer and then attempted to extort money out of you to care so much for your data’s welfare. It should go without saying, but doesn’t, that you should back up your important data before running any decryption tool.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *