Cyber security experts at Cisco Talos and Avast, working alongside law enforcement in the Netherlands, have collaborated to make available a decryptor for the Tortilla variant of the infamous Babuk ransomware, allowing victims compromised by the gang dating back to 2021 to recover their files.
In a joint operation, intelligence supplied to the Dutch police by Talos enabled the force to identify and take into custody the threat actor behind Babuk Tortilla and prosecute them.
Meanwhile, as a result of the sting, Talos researchers were able to get their hands on the private decryption key for Tortilla, which was subsequently shard with Avast Threat Labs, given the Czechia-based supplier had previously released a de facto industry standard decryptor for Babuk.
This was done by extracting the private key from the decryptor and passing that to Avast, so as to avoid exposing any users to executable code created by the ransomware’s authors.
“The Avast Babuk decryptor is optimised for performance and allows users to recover their files very quickly if the Babuk variant uses one of the known private decryption keys,” wrote Cisco Talos researcher Vanja Svajcer. “The initial decryptor was released in October 2021, and it has been actively supported by Avast Threat Labs’ engineers.
“Its simple user interface allows even users with minimal experience in ransomware recovery to easily understand its usage and purpose,” he said.
The updated decryptor now includes all known private keys, which it is hoped will enable many users to retrieve their data, said Cisco Talos. It’s now available through NoMoreRansom, a joint project between industry, the Dutch National High Tech Crime Unit, and Europol’s European Cybercrime Centre, as well as from Avast itself.
According to Svajcer, the decryptor obtained by Talos was most likely created from a leak of Babuk’s source code and generator that occurred in late 2021. This leak may have begun with a disgruntled insider.
The Babuk ransomware family had initially emerged earlier that same year, and gained rapid notoriety thanks to a series of high-profile cyber attacks.
The locker itself can be compiled for several different hardware and software platforms, with the most commonly observed versions targeting Microsoft Windows and ARM for Linux.
Described by Svajcer as “nefarious by its nature”, when it encrypts the victim’s system, it interrupts system backup processes and deletes volume shadow copies.
The leak saw the ransomware’s source code became more widely used in the cyber criminal underground, and many other operations have been observed using and building upon it. Svacjer said recent analysis had found 10 different threat actors using some variant of the locker in the wild.
Some notable descendants include strains such as Nokoyawa, which exploited a Windows Common Log File System zero-day; EXSiArgs, which as its name suggests, targeted VMware hypervisors; and Rorschach, a hodgepodge taking inspiration from many different ransomwares, that mystified researchers when it first emerged in April 2023.