A new decryptor key has been created for victims of the Babuk Tortilla ransomware variant, Cisco Talos has confirmed.
These keys will be added to a generic Babuk decryptor previously created by Avast Threat Labs. This will enable users to download the single decryptor containing all currently known Babuk keys.
Targeting Babuk Ransomware Variations
Babuk ransomware first came into prominence in 2021 and was behind multiple high-profile attacks on industries including manufacturing and law enforcement.
The ransomware strain is highly sophisticated, compiled for several hardware and software platforms, with Windows and ARM for Linux the most commonly used versions.
While it encrypts the victim’s machine, Babuk is also able to interrupt the system backup process and delete the volume shadow copies, making recovery more difficult.
Babuk’s source code was leaked in an underground forum in September 2021, enabling multiple threat actors to develop variations of the strain.
Cisco set out ransomware families that have leveraged Babuk:
- Rook – December 2021
- Night Sky – January 2022
- Pandora – March 2022
- Nokoyawa Cheerscrypt – May 2022
- AstraLocker 2.0 – June 2022
- ESXiArgs – February 2023
- Rorschach RTM Locker RA Group – April 2023
This included a threat actor known as Tortilla. Cisco Talos first observed Tortilla targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in victims’ environments in October 2021.
In a subsequent law enforcement investigation, Dutch Police, using intelligence from Cisco Talos, were able to discover and apprehend the actor behind the Tortilla malware.
During this operation, Talos obtained the decryptor used by Tortilla and shared the recovered decryption key with Avast Threat Labs.
Avast had already developed a generic decryptor for several other Babuk variants.
Talos believes this decryptor was created from the leaked Babuk source code and the generator. While attackers can generate different public/private key pairs per campaign, the Tortilla actor used a single key pair to attack all its victims.
The firm said it took the decision to extract the private key from the decryptor and add it to the list of keys supported by the Avast Babuk decryptor rather than share any executable code created by Tortilla. This is because it may expose production environments to untrusted code.
How Can Victims Recover Encrypted Files
Victims of Tortilla ransomware attacks can now download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page.
This decryptor is designed to enable users to recover their files very quickly and easily.
“Its simple user interface allows even users with minimal experience in ransomware recovery to easily understand its usage and purpose,” Talos wrote in a blog on January 9, 2024.
A number of decryptors have been released recently to help victims of prolific ransomware gangs.
This includes Security Research Labs published tools to enable the recovery of files encrypted by Black Basta ransomware, while the FBI announced in December 2023 that it had developed a decryption tool for the notorious BlackCat group, following law enforcement action.