Security researchers have put out an updated decryptor for the Babuk ransomware family, providing a free solution for victims of the Tortilla variant.
A collaboration between Cisco Talos, Avast, and the Netherlands police led to the development of the new decryptor and the arrest of the criminals behind the variant.
According to Cisco Talos, the Amsterdam police force arrested the individual behind Babuk Tortilla, and the Dutch Public Prosecution Office prosecuted them, although neither institution has published information about the case or responded to The Register’s request for details.
Cisco Talos said it obtained the Babuk Tortilla decryptor and shared it with Avast, which already hosts the industry’s go-to generic Babuk decryptor, now updated to support Tortilla victims.
The infosec arm of the networking giant didn’t mention how it came to possess the decryptor, but said it was likely developed based on the Babuk source code leak from 2021 – the same leak that helped researchers develop the generic decryptor in the same year.
Analysis of the decryptor, now freely available online, revealed that the operator of the Tortilla variant decided against using a unique private/public key pairing for each victim, instead using the same in every attack.
Avast said this made the task of updating the generic decryptor to support Tortilla “straightforward,” and that the use of a single private key across all victims means every Tortilla victim can benefit from the decryptor.
Rather than simply releasing the decryption software obtained by Cisco Talos to the world, the decision was made to extract the private key and add it to the list of keys supported by the existing decryptor. Simply releasing the decryptor may have exposed organizations to untrusted code, said Vanja Svajcer, outreach researcher at Cisco Talos.
The obtained decryption software is also slow and less efficient than Avast’s decryptor, we’re told, because of the way in which it traverses the file system.
Organizations can download the updated decryptor from Avast or the Europol-run No More Ransom project, which also hosts a plethora of decryptors for other ransomware families.
Babuk’s background
The Babuk ransomware family emerged in 2020 or 2021, depending on which security vendor you ask, and is described as “a highly advanced form of ransomware developed for multiple platforms, such as Windows and Arm for Linux” by SentinelOne.
Babuk is responsible for attacks on the healthcare and manufacturing sectors, as well as critical infrastructure, and its 2021 source code leak led to the emergence of various other ransomware families, all based on leaked Babuk code.
It’s believed that at least ten other ransomware groups had taken Babuk’s code and used it to create spinoff families including Nokoyawa, AstraLocker 2.0, ESXiArgs, Team Daixin, and HelloXD, among others.
The Tortilla variant, released in 2021, initially targeted Microsoft Exchange servers vulnerable to the ProxyShell exploit.
“The actor used a specific infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone, pastebin.pl,” Svajcer said. “The intermediate unpacking stage was downloaded and decoded in memory before the final payload embedded within the original sample was decrypted and executed.”
Avast’s analysis of the Tortilla ransom note revealed that it uses AES-256 encryption and a ChaCha8 cipher to lock up victims’ files before demanding payment in Monero – a privacy-focused token that’s more difficult to trace than Bitcoin.
The note seen by Avast requested a payment of just $10,000 – a sum that pales in comparison to the current average bad guy’s demand – although reports elsewhere have seen demands from the group significantly higher, but still well below today’s norms. ®