Security researchers at Cisco Talos and Avast in cooperation with Dutch police, released an updated decryptor for the Babuk ransomware family to help victims of the Tortilla variant restore encrypted files without paying a ransom.
The Talos team said they obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant following the arrest of the hacker behind Babuk Tortilla operations. This allowed the researchers to obtain the private decryption key and incorporate it into the Avast Babuk decryptor, released in 2021.
“Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants,” Cisco Talos said.
Babuk ransomware emerged in 2021, gaining notoriety for its high-profile attacks on targeted industries, including healthcare, manufacturing, logistics and public services, as well as critical infrastructure. Babuk source code leaked in an underground forum in September 2021 by an alleged insider and since then it has been used as a basis of many ransomware variants, including Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, RA Group.
Tortilla is a Babuk ransomware variant that emerged in the wild in 2021. The ransomware campaign targeted vulnerable Microsoft Exchange servers and attempted to exploit the ProxyShell vulnerability (CVE-2021-34473) to deploy the Babuk ransomware.
The updated decryptor is available to download from Avast or the No More Ransom initiative, which currently offers over a hundred free tools for more than 160 ransomware variants.
