Pierluigi Paganini January 23, 2024

The Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water, a major player in the UK water industry.

Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area.

The company is a major player in the UK water industry, it employs over 6,000 people and has an annual turnover of over £1 billion. It is committed to providing its customers with high-quality water and wastewater services.

The Black Basta ransomware group added Southern Water to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 29, 2024.

The group claims to have stolen 750 gigabytes of sensitive data, including users’ personal documents and corporate documents.

The gang published some screenshots as proof of the attack, including passports, ID cards, and personal information of some employees.

At this time, it is unknown what ransom the group has demanded from the victim.

The Black Basta ransomware group has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.

In early January, independent security research and consulting team SRLabs discovered a vulnerability in Black Basta ransomware’s encryption algorithm and exploited it to create a free decryptor.

A joint research by Elliptic and Corvus Insurance revealed that the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.

The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.

SRLabs analyzed the encryption algorithm used by the ransomware and discovered a specific weakness in the variant used by the gang around April 2023. The ransomware employs encryption based on a ChaCha keystream, which is utilized to perform XOR operations on 64-byte-long chunks of the file.

The researchers determined that the position of the encrypted blocks is determined by the file size, as indicated in the mentioned ranges.py. Depending on the file size, the ransomware encrypts the initial 5000 bytes.

The position of the encrypted blocks is determined by the file size. Depending on the file size, the ransomware encrypts the first 5000 bytes.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.” reads the post published by the researchers. “The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt. For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images.”

The experts pointed out that the weakness doesn’t impact the encryption process for the first 5,000 bytes of a file, for this reason, these bytes cannot be recovered. This means that files below the size of 5000 bytes cannot be recovered.

SRLabs developed tools that enable users to analyze encrypted files and determine if decryption is possible.

The decryptauto tool may allow to recover files containing encrypted zero bytes.

“Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.” continues the researchers.

The bad news is that Black Bast has fixed the issue. The decryptor only allows to recover files encrypted before December 2023.

“The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for free. However, BleepingComputer has learned that the Black Basta developers fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used in newer attacks.” reported Bleeping Computer.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta)