Experts from the Cisco Talos division, in collaboration with the Dutch police, have made significant progress in the fight against cybercrime. They have successfully seized a special decryption tool previously provided by the operator of a virus known as Tortilla. This tool was given to victims who agreed to pay the ransom. The capture of the tool occurred shortly after the arrest of the operator, who was residing in Amsterdam. [source]
Tortilla emerged after the source code of the original Babuk virus, known as Ducks on the Network, was leaked on the Khacksk Forum. The creator of this variant actively targeted Microsoft Exchange servers using Proxyshell vulnerabilities to spread malicious software that encrypts data. [source]
Although Avast had released a Babuk decryption tool prior to the emergence of Tortilla, it proved ineffective against this new variant due to the use of a different private key. [source]
Researchers from Talos discovered that the executable virus file contained a single pair of open/closed keys used in all the attacks. After extracting the key, the information was shared with Avast to update their Babuk decryption tool. [source]
Avast has now incorporated the decryption key for Tortilla into their universal Babuk decryption tool, which also includes fourteen ECDH-25519 keys obtained from a source leak in 2021. Victims of Tortilla can now restore their data for free using Avast’s decoder. [source]
Talos emphasizes that Tortilla is not the only operation that has utilized the Babuk code to encrypt victims’ data. Since December 2021, seven other malicious operations using this code have emerged, including Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, Astralocker 2.0, Esciargs, Rorschach, RTM Locker, and Ra Group. [source]