Babuk ransomware decryptor updated with Tortilla support The Register

Security researchers have put out an updated decryptor for the Babuk ransomware family, providing a free solution for victims of the Tortilla variant.
A collaboration between Cisco Talos, Avast, and the Netherlands police led to the development of the new decryptor and the arrest of the criminals behind the variant.
According to Cisco Talos, the Amsterdam police force arrested the individual behind Babuk Tortilla, and the Dutch Public Prosecution Office prosecuted them, although neither institution has published information about the case or responded to The Register's request for details.
Cisco Talos said it obtained the Babuk Tortilla decryptor and shared it with Avast, which already hosts the industry's go-to generic Babuk decryptor, now updated to support Tortilla victims.
The infosec arm of the networking giant didn't mention how it came to possess the decryptor, but said it was likely developed based on the Babuk source code leak from 2021 - the same leak that helped researchers develop the generic decryptor in the same year.
Analysis of the decryptor, now freely available online, revealed that the operator of the Tortilla variant decided against using a unique private/public key pairing for each victim, instead using the same in every attack.
Rather than simply releasing the decryption software obtained by Cisco Talos to the world, the decision was made to extract the private key and add it to the list of keys supported by the existing decryptor.
Simply releasing the decryptor may have exposed organizations to untrusted code, said Vanja Svajcer, outreach researcher at Cisco Talos.
The obtained decryption software is also slow and less efficient than Avast's decryptor, we're told, because of the way in which it traverses the file system.
Organizations can download the updated decryptor from Avast or the Europol-run No More Ransom project, which also hosts a plethora of decryptors for other ransomware families.
Babuk is responsible for attacks on the healthcare and manufacturing sectors, as well as critical infrastructure, and its 2021 source code leak led to the emergence of various other ransomware families, all based on leaked Babuk code.
It's believed that at least ten other ransomware groups had taken Babuk's code and used it to create spinoff families including Nokoyawa, AstraLocker 2.0, ESXiArgs, Team Daixin, and HelloXD, among others.
The Tortilla variant, released in 2021, initially targeted Microsoft Exchange servers vulnerable to the ProxyShell exploit.
Avast's analysis of the Tortilla ransom note revealed that it uses AES-256 encryption and a ChaCha8 cipher to lock up victims' files before demanding payment in Monero - a privacy-focused token that's more difficult to trace than Bitcoin.
The note seen by Avast requested a payment of just $10,000 - a sum that pales in comparison to the current average bad guy's demand - although reports elsewhere have seen demands from the group significantly higher, but still well below today's norms.


This Cyber News was published on go.theregister.com. Publication date: Tue, 09 Jan 2024 14:13:31 +0000


Cyber News related to Babuk ransomware decryptor updated with Tortilla support The Register

New decryptor for Babuk Tortilla ransomware variant released - Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. Cisco Talos shared the key with our peers at ...
9 months ago Blog.talosintelligence.com
Babuk ransomware decryptor updated with Tortilla support The Register - Security researchers have put out an updated decryptor for the Babuk ransomware family, providing a free solution for victims of the Tortilla variant. A collaboration between Cisco Talos, Avast, and the Netherlands police led to the development of ...
9 months ago Go.theregister.com
New Decryption Key Available for Babuk Tortilla Ransomware Victims - A new decryptor key has been created for victims of the Babuk Tortilla ransomware variant, Cisco Talos has confirmed. These keys will be added to a generic Babuk decryptor previously created by Avast Threat Labs. This will enable users to download ...
9 months ago Infosecurity-magazine.com
Decryptor for Babuk ransomware variant released after hacker arrested - Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator. Tortilla is a Babuk ransomware variant ...
9 months ago Bleepingcomputer.com
Babuk Ransomware Decryptor Updated to Recover Files Infected - Hackers use ransomware to encrypt victims' files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data. This tactic leads to financial gains for the threat ...
9 months ago Cybersecuritynews.com
Online ransomware decryptor helps recover partially encrypted files - CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption. The company announced today that although the tool was already freely available through GitHub as a ...
9 months ago Bleepingcomputer.com
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
9 months ago Bleepingcomputer.com
Free BianLian Ransomware Decryptor: A Complete Guide - With the recent emergence of ransomware attacks targeting organizations around the world, it has become increasingly important to have the latest security solutions in place in order to combat such threats. One of the most notable ransomware threats ...
1 year ago Securityaffairs.com
New Black Basta decryptor exploits ransomware flaw to recover files - Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for ...
10 months ago Bleepingcomputer.com
What to do with that fancy new internet-connected device you got as a holiday gift - This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. Even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate ...
9 months ago Blog.talosintelligence.com
'Black Basta Buster' Exploits Ransomware Bug for File Recovery - Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang. Security research and consulting ...
10 months ago Darkreading.com
The Week in Ransomware - With it being the first week of the New Year and some still away on vacation, it has been slow with ransomware news, attacks, and new information. Last weekend, BleepingComputer tested a new decryptor for the Black Basta ransomware to show how it ...
10 months ago Bleepingcomputer.com
CVE-2007-2850 - The Session Reliability Service (XTE) in Citrix MetaFrame Presentation Server 3.0, Presentation Server 4.0, and Access Essentials 1.0 and 1.5, allows remote attackers to bypass network security policies and connect to arbitrary TCP ports via a ...
7 years ago
Black Basta Buster Utilizes Ransomware Flaw to Recover Files - Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster. This tool, released in response to the ...
10 months ago Heimdalsecurity.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
10 months ago Feeds.fortinet.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
9 months ago Unit42.paloaltonetworks.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
9 months ago Securityboulevard.com
The Week in Ransomware - Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks. While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to ...
9 months ago Bleepingcomputer.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
7 months ago Bleepingcomputer.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
10 months ago Helpnetsecurity.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
10 months ago Bleepingcomputer.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
8 months ago Malwarebytes.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
8 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)