View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 9, 2024

Decryptor for Babuk Tortilla ransomware variant released after police sting

Victims of the malware can download the free tool to help unlock their systems.

By Matthew Gooding

A new decryptor for the Babuk Tortilla ransomware has been released. Security researchers at Cisco Talos obtained the decryption key following a Dutch police operation which saw an alleged user of the malware apprehended.

A decryption key has been released for Babuk Tortilla ransomware. (Photo by VECTOR_X/Shutterstock)

The key has been handed to the Avast Threat Labs, which has added it to its package of decryptors for a host of Babuk variants.

Babuk Tortilla ransomware decryptor released

Babuk ransomware emerged in 2021, and has been used to target healthcare and manufacturing businesses, as well as critical national infrastructure. It is particularly problematic because it encrypts the victim’s machine while also interrupting the system backup process and deleting volume shadow copies, which often contain salvageable data.

The malware has spawned many variants, in part because its source code was leaked online in 2021, meaning other cybercriminals have been able to use it as the basis for their own nefarious software.

As reported by Tech Monitor, last year the RA Ransomware gang attacked four companies using malware based on modified Babuk code, and it was also used in the ESXIArgs campaign, which impacted more than 3,000 victims at the beginning of 2023.

Cisco Talos has been tracking the Tortilla variant since 2021 when its researchers spotted the malware being used to target vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in victim networks.

The company has been gathering intelligence on the malware, which was used by Dutch police to “discover and apprehend the actor behind this malware”, according to a blog post from the company published today.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Few details have been provided on the police operation in the Dutch capital Amsterdam (Tech Monitor has approached Cisco Talos for more information), but as part of the sting the security vendor “obtained and analysed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.”

How to download the Babuk Tortilla decryptor

The Babuk Tortilla decryptor was “likely created from the leaked Babuk source code and the generator” according to Cisco Talos researcher Vanja Svajcer, who penned the blog post. “An actor wishing to utilize the ransomware toolkit has to generate a public/private key pair to be used in the operation,” Svajcer said. “The key pair can also be generated per campaign but we have no indication of other keys used by the Tortilla actor. Instead, a single key pair is used to attack all their victims.” 

The public key is deployed to the ransomware payload “where it is used in the infection process to encrypt the per-file symmetric encryption/decryption key,” Svajcer added. He explained: “That is then appended to the end of every encrypted file with the encryption marker and additional metadata. This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor.” 

Any organisation affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor. It is available on the NoMoreRansom decryptors page and the Avast decryptors download page

Read more: Vulnerabilities reported in post-quantum encryption algorithm


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.