A new decryptor for the Babuk Tortilla ransomware has been released. Security researchers at Cisco Talos obtained the decryption key following a Dutch police operation which saw an alleged user of the malware apprehended.
The key has been handed to the Avast Threat Labs, which has added it to its package of decryptors for a host of Babuk variants.
Babuk Tortilla ransomware decryptor released
Babuk ransomware emerged in 2021, and has been used to target healthcare and manufacturing businesses, as well as critical national infrastructure. It is particularly problematic because it encrypts the victim’s machine while also interrupting the system backup process and deleting volume shadow copies, which often contain salvageable data.
The malware has spawned many variants, in part because its source code was leaked online in 2021, meaning other cybercriminals have been able to use it as the basis for their own nefarious software.
As reported by Tech Monitor, last year the RA Ransomware gang attacked four companies using malware based on modified Babuk code, and it was also used in the ESXIArgs campaign, which impacted more than 3,000 victims at the beginning of 2023.
Cisco Talos has been tracking the Tortilla variant since 2021 when its researchers spotted the malware being used to target vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in victim networks.
The company has been gathering intelligence on the malware, which was used by Dutch police to “discover and apprehend the actor behind this malware”, according to a blog post from the company published today.
Few details have been provided on the police operation in the Dutch capital Amsterdam (Tech Monitor has approached Cisco Talos for more information), but as part of the sting the security vendor “obtained and analysed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.”
How to download the Babuk Tortilla decryptor
The Babuk Tortilla decryptor was “likely created from the leaked Babuk source code and the generator” according to Cisco Talos researcher Vanja Svajcer, who penned the blog post. “An actor wishing to utilize the ransomware toolkit has to generate a public/private key pair to be used in the operation,” Svajcer said. “The key pair can also be generated per campaign but we have no indication of other keys used by the Tortilla actor. Instead, a single key pair is used to attack all their victims.”
The public key is deployed to the ransomware payload “where it is used in the infection process to encrypt the per-file symmetric encryption/decryption key,” Svajcer added. He explained: “That is then appended to the end of every encrypted file with the encryption marker and additional metadata. This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor.”
Any organisation affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor. It is available on the NoMoreRansom decryptors page and the Avast decryptors download page.