New decryptor for Babuk Tortilla ransomware variant released

Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021.
The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.
In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla.
During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.
The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor.
This way, the users can access programs such as NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.
Babuk source code is used as a basis of many ransomware variants.
Babuk ransomware emerged in 2021, gaining notoriety for its high-profile attacks on targeted industries, especially those in healthcare, manufacturing, logistics and public services, including critical infrastructure.
Babuk ransomware is nefarious by its nature and while it encrypts the victim's machine, it interrupts the system backup process and deletes the volume shadow copies.
The source code of the Babuk ransomware leaked in an underground forum in September 2021 by an alleged insider, opening the door for other cybercriminals to utilize and potentially enhance the ransomware and increase the threat level for businesses and organizations worldwide.
Talos recently analyzed the operations of the RA ransomware group and other groups basing their ransomware on the leaked Babuk source code, documenting 10 different actors using it.
Cisco Talos discovered a Tortilla campaign in our product telemetry on Oct. 12, 2021, targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment.
Babuk Tortilla decryptor is a standard decryptor provided by the threat actor.
The Babuk Tortilla decryptor obtained by Cisco Talos was likely created from the leaked Babuk source code and the generator.
This allows the specific decryptor to recognize the fact that a file is encrypted and decrypt the symmetric key using the private key embedded in the body of the specially crafted decryptor tool created by the threat actor.
The approach we took was to extract the private key from the decryptor and add the key to the list of keys supported by the Avast Babuk decryptor.
The Avast Babuk decryptor is optimized for performance and allows users to recover their files very quickly if the Babuk variant uses one of the known private decryption keys.
The initial decryptor was released in October 2021, and it has been actively supported by Avast Threat Labs' engineers.
Users affected by Tortilla ransomware operations can download the updated version of the Babuk decryptor from the NoMoreRansom decryptors page or the Avast decryptors download page.


This Cyber News was published on blog.talosintelligence.com. Publication date: Tue, 09 Jan 2024 09:13:05 +0000


Cyber News related to New decryptor for Babuk Tortilla ransomware variant released

New decryptor for Babuk Tortilla ransomware variant released - Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. Cisco Talos shared the key with our peers at ...
11 months ago Blog.talosintelligence.com
New Decryption Key Available for Babuk Tortilla Ransomware Victims - A new decryptor key has been created for victims of the Babuk Tortilla ransomware variant, Cisco Talos has confirmed. These keys will be added to a generic Babuk decryptor previously created by Avast Threat Labs. This will enable users to download ...
11 months ago Infosecurity-magazine.com
Babuk ransomware decryptor updated with Tortilla support The Register - Security researchers have put out an updated decryptor for the Babuk ransomware family, providing a free solution for victims of the Tortilla variant. A collaboration between Cisco Talos, Avast, and the Netherlands police led to the development of ...
11 months ago Go.theregister.com
Decryptor for Babuk ransomware variant released after hacker arrested - Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator. Tortilla is a Babuk ransomware variant ...
11 months ago Bleepingcomputer.com
Babuk Ransomware Decryptor Updated to Recover Files Infected - Hackers use ransomware to encrypt victims' files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data. This tactic leads to financial gains for the threat ...
11 months ago Cybersecuritynews.com
CVE-2021-41769 - A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD89 devices (CPU variant CP300) (All versions < ...
2 years ago
CVE-2018-0688 - Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, ...
5 years ago
CVE-2018-0689 - HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September ...
5 years ago
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
11 months ago Bleepingcomputer.com
Online ransomware decryptor helps recover partially encrypted files - CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption. The company announced today that although the tool was already freely available through GitHub as a ...
10 months ago Bleepingcomputer.com
What to do with that fancy new internet-connected device you got as a holiday gift - This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. Even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate ...
11 months ago Blog.talosintelligence.com
The Week in Ransomware - With it being the first week of the New Year and some still away on vacation, it has been slow with ransomware news, attacks, and new information. Last weekend, BleepingComputer tested a new decryptor for the Black Basta ransomware to show how it ...
11 months ago Bleepingcomputer.com
New Black Basta decryptor exploits ransomware flaw to recover files - Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for ...
11 months ago Bleepingcomputer.com
The Week in Ransomware - Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks. While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to ...
10 months ago Bleepingcomputer.com
Free BianLian Ransomware Decryptor: A Complete Guide - With the recent emergence of ransomware attacks targeting organizations around the world, it has become increasingly important to have the latest security solutions in place in order to combat such threats. One of the most notable ransomware threats ...
1 year ago Securityaffairs.com
Black Basta Buster Utilizes Ransomware Flaw to Recover Files - Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster. This tool, released in response to the ...
11 months ago Heimdalsecurity.com
'Black Basta Buster' Exploits Ransomware Bug for File Recovery - Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang. Security research and consulting ...
11 months ago Darkreading.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
9 months ago Bleepingcomputer.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
10 months ago Bleepingcomputer.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
7 months ago Bleepingcomputer.com
LockBit targets hospitals - We did not see much research released on ransomware this week, with most of the news focusing on new attacks and LockBit affiliates increasingly targeting hospitals. These attacks include ones against Yakult Australia and the Ohio Lottery by the new ...
11 months ago Bleepingcomputer.com
VX-Underground malware collective framed by Phobos ransomware - A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)