Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021.
The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.
In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla.
During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.
The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor.
This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.
Babuk source code is used as a basis of many ransomware variants.
Babuk ransomware emerged in 2021, gaining notoriety for its high-profile attacks on targeted industries, especially those in healthcare, manufacturing, logistics and public services, including critical infrastructure.
Babuk ransomware is nefarious by its nature and while it encrypts the victim's machine, it interrupts the system backup process and deletes the volume shadow copies.
The source code of the Babuk ransomware leaked in an underground forum in September 2021 by an alleged insider, opening the door for other cybercriminals to utilize and potentially enhance the ransomware and increase the threat level for businesses and organizations worldwide.
Talos recently analyzed the operations of the RA ransomware group and other groups basing their ransomware on the leaked Babuk source code, documenting 10 different actors using it.
Cisco Talos discovered a Tortilla campaign in our product telemetry on Oct. 12, 2021, targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment.
Babuk Tortilla decryptor is a standard decryptor provided by the threat actor.
The Babuk Tortilla decryptor obtained by Cisco Talos was likely created from the leaked Babuk source code and the generator.
This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor.
The approach we took was to extract the private key from the decryptor and add the key to the list of keys supported by the Avast Babuk decryptor.
The Avast Babuk decryptor is optimized for performance and allows users to recover their files very quickly if the Babuk variant uses one of the known private decryption keys.
The initial decryptor was released in October 2021, and it has been actively supported by Avast Threat Labs' engineers.
Users affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page.
This Cyber News was published on blog.talosintelligence.com. Publication date: Tue, 09 Jan 2024 09:13:05 +0000