All affected users can restore their data without paying a ransom.
Specialists of the Cisco Talos division, together with the Dutch police, have made significant progress in the fight against cybercrime, providing decryption of a variation of the Babuk ransomware virus, known as Tortilla.
This was made possible by the capture of a special decryption tool that was previously provided by the operator of this virus to victims who agreed to pay a ransom. The seizure of the instrument itself, apparently, occurred just after the arrest of the Tortilla operator, who lives in Amsterdam.
"Tortilla" appeared shortly after the source code of the original Babuk virus was leaked online on a hacker forum. The author of a variation of this malware actively attacked Microsoft Exchange servers, using ProxyShell vulnerabilities to spread encryption malware.
Although Avast released the Babuk decryption tool a month before Tortilla was released, it proved ineffective against the new variant due to the use of a different private key.
Talos researchers found that the executable file of the virus contained a single public / private key pair used in all attacks. After extracting the key, the information was passed to Avast to update their Babuk decryptor.
Avast has already included the Tortilla decryption key in its universal Babuk decryption tool, which also contains fourteen ECDH-25519 keys obtained from the 2021 source code leak. Tortilla victims can now recover their data for free using an Avast decryptor .
Cisco Talos emphasizes that "Tortilla" is not the only operation that used the Babuk code to encrypt victims ' data. Since December 2021, seven other malicious operations using this code have already appeared: Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, AstraLocker 2.0, ESCiArgs, Rorschach, RTM Locker, and RA Group.
Specialists of the Cisco Talos division, together with the Dutch police, have made significant progress in the fight against cybercrime, providing decryption of a variation of the Babuk ransomware virus, known as Tortilla.
This was made possible by the capture of a special decryption tool that was previously provided by the operator of this virus to victims who agreed to pay a ransom. The seizure of the instrument itself, apparently, occurred just after the arrest of the Tortilla operator, who lives in Amsterdam.
"Tortilla" appeared shortly after the source code of the original Babuk virus was leaked online on a hacker forum. The author of a variation of this malware actively attacked Microsoft Exchange servers, using ProxyShell vulnerabilities to spread encryption malware.
Although Avast released the Babuk decryption tool a month before Tortilla was released, it proved ineffective against the new variant due to the use of a different private key.
Talos researchers found that the executable file of the virus contained a single public / private key pair used in all attacks. After extracting the key, the information was passed to Avast to update their Babuk decryptor.
Avast has already included the Tortilla decryption key in its universal Babuk decryption tool, which also contains fourteen ECDH-25519 keys obtained from the 2021 source code leak. Tortilla victims can now recover their data for free using an Avast decryptor .
Cisco Talos emphasizes that "Tortilla" is not the only operation that used the Babuk code to encrypt victims ' data. Since December 2021, seven other malicious operations using this code have already appeared: Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, AstraLocker 2.0, ESCiArgs, Rorschach, RTM Locker, and RA Group.
