A new decryptor key has been created for victims of the Babuk Tortilla ransomware variant, Cisco Talos has confirmed.
These keys will be added to a generic Babuk decryptor previously created by Avast Threat Labs.
This will enable users to download the single decryptor containing all currently known Babuk keys.
Babuk ransomware first came into prominence in 2021 and was behind multiple high-profile attacks on industries including manufacturing and law enforcement.
The ransomware strain is highly sophisticated, compiled for several hardware and software platforms, with Windows and ARM for Linux the most commonly used versions.
While it encrypts the victim's machine, Babuk is also able to interrupt the system backup process and delete the volume shadow copies, making recovery more difficult.
Babuk's source code was leaked in an underground forum in September 2021, enabling multiple threat actors to develop variations of the strain.
Cisco Talos first observed Tortilla targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in victims' environments in October 2021.
In a subsequent law enforcement investigation, Dutch Police, using intelligence from Cisco Talos, were able to discover and apprehend the actor behind the Tortilla malware.
During this operation, Talos obtained the decryptor used by Tortilla and shared the recovered decryption key with Avast Threat Labs.
Avast had already developed a generic decryptor for several other Babuk variants.
Talos believes this decryptor was created from the leaked Babuk source code and the generator.
While attackers can generate different public/private key pairs per campaign, the Tortilla actor used a single key pair to attack all its victims.
The firm said it took the decision to extract the private key from the decryptor and add it to the list of keys supported by the Avast Babuk decryptor rather than share any executable code created by Tortilla.
This is because it may expose production environments to untrusted code.
Victims of Tortilla ransomware attacks can now download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page.
This decryptor is designed to enable users to recover their files very quickly and easily.
A number of decryptors have been released recently to help victims of prolific ransomware gangs.
This includes Security Research Labs published tools to enable the recovery of files encrypted by Black Basta ransomware, while the FBI announced in December 2023 that it had developed a decryption tool for the notorious BlackCat group, following law enforcement action.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 09 Jan 2024 12:30:22 +0000