Researchers with Cisco Talos have released a decryptor for the Tortilla variant of the Babuk ransomware, allowing businesses targeted by the ransomware to recover their files. The Cisco Talos team also shared related threat intelligence with Dutch law enforcement agencies, which were then able to identify and apprehend the threat actor behind Babuk Tortilla operations.
Babuk emerged in 2021 with wide-ranging attacks on critical infrastructure organizations across the healthcare and manufacturing sectors. That year, the malware’s source code and binary builder were leaked, and in October 2021 researchers released a decryptor for Babuk. However, a month later, researchers observed a variant of the ransomware - called Tortilla - exploiting known Microsoft Exchange flaws in order to infect victims, using a new private key.
Cisco Talos researchers on Tuesday said they obtained executable code with the ability to decrypt files impacted by Tortilla, which enabled them to extract this private decryption key.
“Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021,” said Vanja Svajcer with Cisco Talos in a post. “The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.”
Since the Babuk source code was leaked on an underground forum in 2021 by an alleged insider, at least 10 different threat actors have leveraged the leaked code for their own ransomware families, and researchers said that the decryptor that they obtained was likely created from the leaked source code. The Talos team also worked with Dutch police to find and apprehend the operator behind the malware. The Dutch Prosecution Office has since prosecuted the threat actor behind Babuk Tortilla operations, according to researchers. Previously, individuals with alleged ties to attacks deploying the Babuk ransomware (as well as Hive and LockBit) were indicted by the U.S. Justice Department in May 2023.
Both private companies and government law enforcement agencies have provided decryption tools to ransomware victims as a way to minimize the impact of attacks, allowing them to recover their files without having to pay the ransom. Last year, decryptors for BlackCat, Hive and MegaCortex ransomware variants were released. Researchers recommend that users impacted by Tortilla ransomware attacks download the updated decryptor on Avast’s decryptor download page or on the NoMoreRansomware project’s decryptor page.
“The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor,” according to Svajcer. “This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.”