Amsterdam arrest leads to Babuk Tortilla ransomware decryptor

Following the arrest of an unnamed threat actor in the Netherlands, Cisco Talos procured a Babuk Tortilla decryptor to help victims recover from a wider variety of Babuk ransomware strains.

In a blog post Tuesday, Cisco Talos researcher Vanja Svajcer revealed that the threat intelligence vendor collaborated with the Dutch National Police and Avast Threat Labs to help victim organizations encrypted with the Babuk ransomware variant referred to as "Tortilla." The Tortilla decryptor is an update to the generic one Avast released in 2021 using leaked source code that included Babuk private keys.

Cisco assessed that the Babuk Tortilla decryptor it obtained following an Amsterdam police operation was "likely" also created with leaked source code. However, a decryptor wasn't the only significant result of the operation.

"Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware," Svajcer wrote in the blog post.

After Cisco analyzed code obtained during the sting and discovered the Tortilla decryptor, it shared the information with Avast, which updated its previous Babuk recovery key. Now, all currently known Babuk keys will be stored in one place. Affected users can download one decryptor key from programs such as the government-backed No More Ransom Project, which could save time during the recovery process.

To leverage Babuk Tortilla, Svajcer said threat actors must generate a public-private encryption key pair from the ransomware toolkit. While the key pair can be generated per campaign, Cisco Talos discovered that a single key pair was used in all Tortilla attacks, which is a win for defenders.

During analysis, Cisco Talos also observed that the decryption process threat actors used during Babuk Tortilla attacks was inefficient compared with Avast's recovery key, which Svajcer said allowed affected users a rapid recovery.

"The decryption process used by the original decryptor is rather slow due to the inefficiency of the routine used to traverse the file system. Although the decryptor supplied by the threat actor works, Cisco Talos made the decision to not share any executable code created by the threat actor, as it may expose production environments to untrusted code," Svajcer wrote.

Instead, Cisco Talos extracted the private key from the Tortilla decryptor and shared it with Avast, which added the key to its own decryptor.

Cisco listed seven ransomware families that have leveraged Babuk source code since its emergence on the threat landscape in 2021. One particularly dangerous instance occurred last February. Using leaked Babuk source code, cybercriminals targeted VMware ESXi servers in a widespread ransomware campaign known as ESXiArgs.

Cisco Talos first discovered the use of Babuk Tortilla ransomware during a campaign in October 2021. Ransomware actors attempted to exploit the infamous ProxyShell vulnerability in Microsoft Exchange servers to deploy the Babuk variant. Svajcer also noted that Babuk ransomware was used in attacks against organizations in healthcare, manufacturing and critical infrastructure.

The successful joint operation signifies an important step during a tumultuous time for ransomware victims. Cybersecurity companies and threat analysts recorded historic highs for the number of ransomware attacks throughout 2023, putting more pressure on governments and law enforcement agencies to respond to the growing threat.

Arielle Waldman is a Boston-based reporter covering enterprise security news.