Headline
Norton Crack Midnight Ransomware, Release Free Decryptor
Norton finds a flaw in the new Midnight ransomware built from Babuk code and releases a free decryptor to help victims recover files without paying a ransom.
Norton’s threat research team at Gen Digital has identified a major security flaw in Midnight, a new ransomware strain built from the leaked Babuk ransomware source code.
The flaw, introduced during an attempt to improve encryption speed and strength, has allowed Norton to create a free decryptor that restores affected files without paying a ransom.
Midnight inherits much of its structure from Babuk, the ransomware that surfaced in 2021 before its full source code was leaked online. That leak has since resulted in many new threats built on the same base, and Midnight is the latest to reuse and modify the original framework.
Researchers found that while the group behind Midnight ransomware aimed to upgrade Babuk’s encryption methods, the result was the opposite, including a cryptographic implementation that weakened its security.
The ransomware uses a combination of ChaCha20 and RSA encryption to lock files. However, an error in how the RSA key was used allowed partial decryption, which, according to Norton’s blog post, its researchers turned into a practical recovery method. They have since made the decryptor publicly available, offering victims a safe way to recover data.
Midnight ransomware works in a way similar to Babuk, encrypting sections of files instead of entire ones to move faster and still disrupt systems. It applies encryption based on file size, which lets it quickly render large files unreadable without fully processing every byte. Recent samples have expanded the list of targeted files, encrypting nearly all file types except executables such as .exe, .dll, and .msi.
Infected systems typically show files with the .Midnight or .endpoint extensions, or the string may be appended within the file data itself. Victims also find a ransom note titled How To Restore Your Files.txt and, in some cases, a debug log file such as Report.Midnight or debug.endpoint.
.Midnight and .endpoint variants (Image via Norton)
Norton’s decryptor is available here (direct download link) in both 32-bit and 64-bit versions for Windows. It guides users through a simple setup process to locate encrypted files, create backups, and begin decryption. Norton recommends keeping the backup option enabled to avoid data loss during recovery.