Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator.
Tortilla is a Babuk ransomware variant that emerged in the wild shortly after the source code of the original malware leaked on a hacker forum.
The threat actor behind it has been targeting Microsoft Exchange servers with ProxyShell exploits to deploy the data-encrypting malware.
Avast released a decrypter for Babuk a month before the new variant appeared but it didn't work for Tortilla encryption because it used a different private key.
Today, Cisco Talos announced that, in cooperation with the Dutch police, it obtained a decryptor that the Tortilla ransomware operator provided to victims that paid the ransom.
Acting on threat intelligence from Cisco Talos, law enforcement authorities were able to identify and arrest in Amsterdam the threat actor behind the Tortilla ransomware operation.
According to the researchers, the executable contained a single public/private key pair that was used in all attacks.
After extracting the key, the analysts shared it with Avast to update their Babuk decryptor.
Avast added the Tortilla decryption key to the Babuk decryptor's fourteen ECDH-25519 keys that were obtained from the 2021 source code leak.
Victims of the Babuk variant can download Avast's generic decryption tool for free from here.
Cisco Talos notes that Tortilla is not the only operation that used Babuk ransomware code to encrypt victims.
New Black Basta decryptor exploits ransomware flaw to recover files.
How the FBI seized BlackCat ransomware's servers.
French police arrests Russian suspect linked to Hive ransomware.
Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Jan 2024 16:55:24 +0000