Cybersecurity researchers have identified a critical cryptographic weakness in the new Midnight ransomware, a strain derived from the leaked Babuk source code. The implementation error in the ransomware’s RSA key management opened the door for Norton to release a free decryptor that can restore files on impacted Windows systems.
Midnight ransomware: Babuk heritage and focus on speed
Midnight closely mirrors the architecture of Babuk, whose builder and source code were leaked in 2021 and have since fueled numerous copycat families. Consistent with its progenitor, Midnight uses partial encryption to accelerate impact: instead of encrypting entire files, it encrypts selected segments, rendering large documents and databases unreadable within seconds while minimizing processing time.
Recent Midnight builds broaden the list of targeted file types to cover most common formats, while explicitly excluding executable and installer files such as .exe, .dll, and .msi. On compromised hosts, victims typically see the .midnight or .endpoint extension appended to affected files. Some samples also embed a tag inside file content. Ransom notes are dropped as How To Restore Your Files.txt, accompanied by diagnostic logs such as report.midnight and debug.endpoint that trace the malware’s execution steps.
ChaCha20 plus RSA: why the crypto failed
Midnight implements a hybrid scheme: file contents are encrypted with the stream cipher ChaCha20, and the per-file or per-session symmetric keys are protected using RSA. While ChaCha20 and RSA are strong cryptographic primitives, researchers found a flaw in the implementation of RSA key handling. The defect initially enabled partial data recovery; further analysis allowed the construction of a complete decryptor without the attackers’ private key. This case underlines a recurring reality in ransomware: sound algorithms do not compensate for weak operational design or incorrect key lifecycle management.
Norton’s free decryptor for Windows: what defenders should know
Norton has published a free decryptor for Windows x86 and x64 that targets files affected by Midnight ransomware. The tool automatically discovers encrypted data, including files marked with .midnight and .endpoint, creates safety backups, and attempts decryption. Users are advised not to disable backup creation within the tool to mitigate the risk of data loss in the event of corruption or unexpected interruptions during recovery.
Indicators of compromise (IOCs) and observable artifacts
Common IOCs include the emergence of .midnight or .endpoint extensions, the ransom note How To Restore Your Files.txt, and operational logs such as report.midnight or debug.endpoint. The use of partial encryption increases the likelihood of rapid service disruption, particularly for file servers and database hosts. Proactive monitoring for mass file renaming, unusual write patterns in network shares, and the presence of the noted artifacts can materially reduce response times.
Operational impact and defensive recommendations
The reuse of leaked builders like Babuk lowers the barrier to entry for threat actors and accelerates the emergence of new ransomware offshoots. Conversely, any cryptographic implementation mistake—such as the RSA flaw in Midnight—provides defenders a rare opportunity to restore data at scale. These windows are typically short-lived; ransomware operators often patch defects quickly once public decryptors appear.
Recommended actions for organizations include:
- Immediately isolate suspected endpoints and preserve copies of encrypted files.
- Obtain and run the official Norton decryptor where applicable.
- Audit and enforce backup policies with at least one offline, immutable copy.
- Implement network segmentation and least-privilege access, especially on file shares and critical systems.
- Deploy EDR/behavioral detection capable of flagging mass file modification and suspicious encryption activity.
- Maintain rigorous patching to remove common initial access vectors.
- For SOC teams: add correlation rules for sudden extension changes to .midnight/.endpoint and creation of the noted ransom note and log files.
The Midnight incident underscores that ransomware resilience depends not only on the choice of cryptographic algorithms but on correct key management and implementation. While the current RSA flaw enables free decryption, organizations should act quickly: leverage Norton’s tool, harden backup and recovery processes, and refine detection and response playbooks to reduce downtime and limit impact in future extortion campaigns.
