- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
- Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021. The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.
- Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Tortilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.
In cooperation with Dutch Police and Avast, Cisco Talos recovered a decryptor for encrypted files from systems affected by the Babuk ransomware variant known as Tortilla. We first described the operations of Tortilla ransomware in a
blog post in November 2021.
Dutch Police used the intelligence provided by Talos to discover and apprehend the actor behind this malware. During the Amsterdam Police operation, Talos obtained and analyzed the decryptor, recovered the decryption key and shared the key with engineers from Avast Threat Labs in charge of development and maintenance of the decryptor for several other Babuk variants.
The generic Avast Babuk decryptor was already used as the de facto industry standard Babuk decryptor by many affected users and it made perfect sense to be updated with the keys Talos recovered from the Tortilla decryptor.
This way, the users can access programs such as
NoMoreRansom to download the single decryptor containing all currently known Babuk keys and do not have to choose between competing decryptors for individual variants.