January 9, 2024 at 11:47AM
Researchers from Cisco Talos and the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware, leading to the arrest of the operator. This variant emerged after the original malware leaked. The threat actor targeted Microsoft Exchange servers using ProxyShell exploits. Avast released a decrypter for Babuk but it didn’t work for Tortilla encryption. Cisco Talos and Dutch police’s collaboration led to the operator’s arrest in Amsterdam. The key extracted was shared with Avast to update their decryptor. Cisco Talos highlighted that Tortilla is not the only operation using Babuk ransomware code.
Key takeaways from the meeting notes are as follows:
– Researchers from Cisco Talos and Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware, leading to the arrest of the ransomware’s operator.
– Tortilla is a variant of the Babuk ransomware that emerged after the original malware’s source code leaked on a hacker forum.
– The threat actor behind Tortilla targeted Microsoft Exchange servers with ProxyShell exploits to deploy the data-encrypting malware.
– Avast released a decrypter for Babuk, but it did not work for Tortilla encryption due to a different private key.
– Cisco Talos and Dutch police obtained a decryptor provided by the Tortilla ransomware operator to victims who paid the ransom, leading to the arrest of the threat actor in Amsterdam.
– Researchers extracted a public/private key pair from the executable used in all attacks and shared it with Avast to update their Babuk decryptor.
– Avast added the Tortilla decryption key to their Babuk decryptor’s fourteen ECDH-25519 keys obtained from the 2021 source code leak.
– Cisco Talos noted that Tortilla is not the only operation using Babuk ransomware code, with seven other operations emerging since December 2021: Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, AstraLocker 2.0, ESCiArgs, Rorschach, RTM Locker, and the RA Group.
– Victims of the Babuk variant can download Avast’s generic decryption tool for free.
These takeaways illustrate the collaboration between Cisco Talos, Dutch police, and Avast in addressing the Babuk ransomware threat and its variants, as well as the broader impact of Babuk-related operations on victims.