Midnight Ransomware Decryption Flaw: Babuk Successor’s RSA Implementation Mistake Allows Free File Recovery

A new ransomware family called Midnight has emerged, borrowing heavily from the Babuk ransomware framework — but with a critical mistake that allows victims to recover encrypted data without paying the ransom.

According to Gen researchers, “a new ransomware strain known as Midnight has emerged, echoing the notorious tactics of its predecessor, Babuk. Midnight blends familiar ransomware mechanics with novel cryptographic modifications – some of which unintentionally open the door to file recovery.”

Midnight is a direct descendant of Babuk, the ransomware-as-a-service (RaaS) operation that first appeared in 2021 before its source code was leaked. That leak became a breeding ground for derivative strains, including ESXiArgs, Rorschach, and now Midnight.

Gen researchers explain, “In mid-2021, Babuk’s operators abruptly shut down and leaked their full source code, including builders for Windows, ESXi, and NAS variants. This leak led to a wave of inspired ransomware families, each modifying Babuk’s original design to suit their own goals. Midnight is one such evolution.”

While Midnight retains much of Babuk’s structure and intermittent encryption technique, it replaces Babuk’s HC-256 algorithm with ChaCha20 for file encryption and RSA for key wrapping. Ironically, this change introduced a flaw that makes decryption feasible under certain conditions.

Midnight ransomware adds the extensions “.Midnight” or “.endpoint” to encrypted files. In some builds, the ransomware does not alter filenames but instead appends the extension directly to the end of file content, a quirk visible in hex editors.

A ransom note titled How To Restore Your Files.txt is dropped in every directory, with variant-specific wording for .Midnight and .endpoint samples.

Midnight Decryption <a href= — Ransom note of .Midnight variant | Image: Gen Digital

Researchers also observed a mutex named Mutexisfunnylocal, used to prevent multiple ransomware instances from running simultaneously. Depending on configuration, some builds create logs like Report.Midnight or debug.endpoint, which can aid forensic recovery.

Midnight also supports several command-line arguments to control its behavior:

/e — appends the extension string directly to file content.
/n — enables encryption of network drives.
–paths= — targets specific directories.

Earlier versions primarily attacked high-value files such as databases (.mdf, .sql) and backups (.bak, .rman), while newer samples encrypt nearly all file types except executables (.exe, .dll, .msi).

The ransomware’s encryption system is what undermines its own strength.

The report notes that “Midnight uses ChaCha20 for encrypting file contents and RSA for encrypting the ChaCha20 key. The RSA-encrypted key, along with its SHA256 hash, is appended to the end of each encrypted file. This format is consistent across known samples.”

However, due to implementation errors in key handling and data padding, Gen analysts were able to reconstruct a working decryptor that bypasses the attacker’s private key entirely.

This vulnerability allows affected victims to recover files for free using the publicly available Norton Midnight Decryptor, released by Gen’s remediation team (Avast and Norton).

The research team has released step-by-step instructions and official decryptor links for both 64-bit and 32-bit Windows systems:

The decryptor takes advantage of the weak RSA implementation, reconstructing the ChaCha20 keys used during encryption.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply